Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ-1024.exe

Overview

General Information

Sample name:RFQ-1024.exe
Analysis ID:1520586
MD5:3429170427053d7d39dc81b889d0097e
SHA1:8631c8767beda82b2b14f2de215d745e512f3ea2
SHA256:6dc1bba66cba9a4ee7a5156375e1935bd30c6b1022bea4082fb3714ce5c73e07
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ-1024.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\RFQ-1024.exe" MD5: 3429170427053D7D39DC81B889D0097E)
    • powershell.exe (PID: 5008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5936 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • RFQ-1024.exe (PID: 4608 cmdline: "C:\Users\user\Desktop\RFQ-1024.exe" MD5: 3429170427053D7D39DC81B889D0097E)
      • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • netsh.exe (PID: 6140 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • cmd.exe (PID: 4876 cmdline: /c del "C:\Users\user\Desktop\RFQ-1024.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ridges-freezers-56090.bond/c24t/"], "decoy": ["ealthbridgeccs.online", "ngelicais.art", "uktuksu1.sbs", "fapoker.asia", "hecreature.tech", "orenzoplaybest14.xyz", "op-smartphones-deal.today", "delark.click", "7395.asia", "otnews.cfd", "j16e.xyz", "oko.events", "fscxb.top", "roudtxliberals.vote", "asas-br.bond", "ourhealthyourlife.shop", "fbpd.top", "j9u9.xyz", "uijiuw.top", "aming-chair-37588.bond", "uaweiharmony.top", "458881233.men", "ewancash.boats", "mss-rb2.net", "472.top", "yhomeshop.online", "j88.travel", "02s-pest-control-us-ze.fun", "oinl.club", "ouseware.today", "1385.net", "eviewmadu.top", "khizmetlergirisyapzzz2024.net", "dcnn.net", "aketrtpmvpslot88.info", "hoys.club", "ealerslot.net", "consuyt.xyz", "ilw.legal", "aithful.events", "est-life-insurance-2507.today", "rvinsadeli.dev", "sx9u.shop", "23fd595ig.autos", "yrhbt.shop", "commerce-74302.bond", "lc-driving-school.net", "7y1ps.shop", "earing-tests-69481.bond", "amilablackwell.online", "venir-bienne.info", "024tengxun396.buzz", "ocoani.shop", "arage-door-repair-1.today", "entista-esp.today", "vto.stream", "loud-computing-intl-3455364.fyi", "9790.club", "us-inbox-messages.online", "aser-hair-removal-90284.bond", "etangkhap99.lol", "leaningjobs-cz.today", "nline-courses-classes-lv-1.bond", "essislotgoal14.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.RFQ-1024.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.RFQ-1024.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.RFQ-1024.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.2.RFQ-1024.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.RFQ-1024.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-1024.exe", ParentImage: C:\Users\user\Desktop\RFQ-1024.exe, ParentProcessId: 2940, ParentProcessName: RFQ-1024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", ProcessId: 5008, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-1024.exe", ParentImage: C:\Users\user\Desktop\RFQ-1024.exe, ParentProcessId: 2940, ParentProcessName: RFQ-1024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", ProcessId: 5008, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-1024.exe", ParentImage: C:\Users\user\Desktop\RFQ-1024.exe, ParentProcessId: 2940, ParentProcessName: RFQ-1024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe", ProcessId: 5008, ProcessName: powershell.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ridges-freezers-56090.bond/c24t/"], "decoy": ["ealthbridgeccs.online", "ngelicais.art", "uktuksu1.sbs", "fapoker.asia", "hecreature.tech", "orenzoplaybest14.xyz", "op-smartphones-deal.today", "delark.click", "7395.asia", "otnews.cfd", "j16e.xyz", "oko.events", "fscxb.top", "roudtxliberals.vote", "asas-br.bond", "ourhealthyourlife.shop", "fbpd.top", "j9u9.xyz", "uijiuw.top", "aming-chair-37588.bond", "uaweiharmony.top", "458881233.men", "ewancash.boats", "mss-rb2.net", "472.top", "yhomeshop.online", "j88.travel", "02s-pest-control-us-ze.fun", "oinl.club", "ouseware.today", "1385.net", "eviewmadu.top", "khizmetlergirisyapzzz2024.net", "dcnn.net", "aketrtpmvpslot88.info", "hoys.club", "ealerslot.net", "consuyt.xyz", "ilw.legal", "aithful.events", "est-life-insurance-2507.today", "rvinsadeli.dev", "sx9u.shop", "23fd595ig.autos", "yrhbt.shop", "commerce-74302.bond", "lc-driving-school.net", "7y1ps.shop", "earing-tests-69481.bond", "amilablackwell.online", "venir-bienne.info", "024tengxun396.buzz", "ocoani.shop", "arage-door-repair-1.today", "entista-esp.today", "vto.stream", "loud-computing-intl-3455364.fyi", "9790.club", "us-inbox-messages.online", "aser-hair-removal-90284.bond", "etangkhap99.lol", "leaningjobs-cz.today", "nline-courses-classes-lv-1.bond", "essislotgoal14.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: RFQ-1024.exeReversingLabs: Detection: 60%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Machine Learning detection for sample
          Source: RFQ-1024.exeJoe Sandbox ML: detected
          Source: RFQ-1024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: RFQ-1024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: jbBL.pdb source: RFQ-1024.exe
          Source: Binary string: jbBL.pdbSHA256 source: RFQ-1024.exe
          Source: Binary string: netsh.pdb source: RFQ-1024.exe, 00000005.00000002.2203220637.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000001015000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: RFQ-1024.exe, 00000005.00000002.2203220637.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000001015000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ-1024.exe, 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2202893581.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2204803044.0000000003A60000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RFQ-1024.exe, RFQ-1024.exe, 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.2202893581.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2204803044.0000000003A60000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 4x nop then jmp 076B0F7Ch0_2_076B1255

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.ridges-freezers-56090.bond/c24t/
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.024tengxun396.buzz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ourhealthyourlife.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.23fd595ig.autos replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nline-courses-classes-lv-1.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ridges-freezers-56090.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.venir-bienne.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.sx9u.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.aketrtpmvpslot88.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ilw.legal replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.458881233.men replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.472.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.024tengxun396.buzz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ourhealthyourlife.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.23fd595ig.autos replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nline-courses-classes-lv-1.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ridges-freezers-56090.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.venir-bienne.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.sx9u.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.aketrtpmvpslot88.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ilw.legal replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.458881233.men replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.472.top replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: www.sx9u.shop
          Source: global trafficDNS traffic detected: DNS query: www.024tengxun396.buzz
          Source: global trafficDNS traffic detected: DNS query: www.458881233.men
          Source: global trafficDNS traffic detected: DNS query: www.ourhealthyourlife.shop
          Source: global trafficDNS traffic detected: DNS query: www.nline-courses-classes-lv-1.bond
          Source: global trafficDNS traffic detected: DNS query: www.ilw.legal
          Source: global trafficDNS traffic detected: DNS query: www.472.top
          Source: global trafficDNS traffic detected: DNS query: www.ridges-freezers-56090.bond
          Source: global trafficDNS traffic detected: DNS query: www.23fd595ig.autos
          Source: global trafficDNS traffic detected: DNS query: www.aketrtpmvpslot88.info
          Source: global trafficDNS traffic detected: DNS query: www.venir-bienne.info
          Source: explorer.exe, 00000006.00000002.4569132555.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: RFQ-1024.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: RFQ-1024.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
          Source: explorer.exe, 00000006.00000002.4569132555.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000006.00000002.4569132555.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: RFQ-1024.exeString found in binary or memory: http://ocsp.comodoca.com0
          Source: explorer.exe, 00000006.00000002.4569132555.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000006.00000002.4568175553.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4565608048.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4568156857.0000000007B50000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: RFQ-1024.exe, 00000000.00000002.2150291866.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.024tengxun396.buzz
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.024tengxun396.buzz/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.024tengxun396.buzz/c24t/www.458881233.men
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.024tengxun396.buzzReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.fun
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.fun/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.fun/c24t/www.loud-computing-intl-3455364.fyi
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.funReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autos
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autos/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autos/c24t/www.aketrtpmvpslot88.info
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.23fd595ig.autosReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.men
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.men/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.men/c24t/www.ourhealthyourlife.shop
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.menReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.top
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.top/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.top/c24t/www.ridges-freezers-56090.bond
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.472.topReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aketrtpmvpslot88.info
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aketrtpmvpslot88.info/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aketrtpmvpslot88.info/c24t/www.venir-bienne.info
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aketrtpmvpslot88.infoReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz/c24t/www.nline-courses-classes-lv-1.bond
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyzReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legal
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legal/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legal/c24t/www.472.top
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legalReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.loud-computing-intl-3455364.fyi
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.loud-computing-intl-3455364.fyi/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.loud-computing-intl-3455364.fyiReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-courses-classes-lv-1.bond
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-courses-classes-lv-1.bond/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-courses-classes-lv-1.bond/c24t/www.ilw.legal
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-courses-classes-lv-1.bondReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ourhealthyourlife.shop
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ourhealthyourlife.shop/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ourhealthyourlife.shop/c24t/www.consuyt.xyz
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ourhealthyourlife.shopReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/www.23fd595ig.autos
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bondReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rvinsadeli.dev
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rvinsadeli.dev/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rvinsadeli.dev/c24t/www.yrhbt.shop
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rvinsadeli.devReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shop
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shop/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shop/c24t/www.024tengxun396.buzz
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shopReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info/c24t/www.rvinsadeli.dev
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.infoReferer:
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yrhbt.shop
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yrhbt.shop/c24t/
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yrhbt.shop/c24t/www.02s-pest-control-us-ze.fun
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yrhbt.shopReferer:
          Source: explorer.exe, 00000006.00000003.2979402480.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2150393168.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000006.00000000.2156445462.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
          Source: explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
          Source: explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
          Source: explorer.exe, 00000006.00000002.4572480568.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000003.2979402480.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2150393168.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
          Source: explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
          Source: RFQ-1024.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
          Source: explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: RFQ-1024.exe PID: 2940, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RFQ-1024.exe PID: 4608, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
          Source: Process Memory Space: netsh.exe PID: 6140, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: RFQ-1024.exe
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A330 NtCreateFile,5_2_0041A330
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A3E0 NtReadFile,5_2_0041A3E0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A460 NtClose,5_2_0041A460
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A510 NtAllocateVirtualMemory,5_2_0041A510
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A2EA NtCreateFile,5_2_0041A2EA
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A32A NtCreateFile,5_2_0041A32A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A3DA NtReadFile,5_2_0041A3DA
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A45E NtClose,5_2_0041A45E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041A50A NtAllocateVirtualMemory,5_2_0041A50A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2B60 NtClose,LdrInitializeThunk,5_2_015A2B60
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_015A2BF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2AD0 NtReadFile,LdrInitializeThunk,5_2_015A2AD0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_015A2D10
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_015A2D30
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2DD0 NtDelayExecution,LdrInitializeThunk,5_2_015A2DD0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_015A2DF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_015A2C70
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_015A2CA0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2F30 NtCreateSection,LdrInitializeThunk,5_2_015A2F30
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2FE0 NtCreateFile,LdrInitializeThunk,5_2_015A2FE0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_015A2F90
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2FB0 NtResumeThread,LdrInitializeThunk,5_2_015A2FB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_015A2E80
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_015A2EA0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A4340 NtSetContextThread,5_2_015A4340
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A4650 NtSuspendThread,5_2_015A4650
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2BE0 NtQueryValueKey,5_2_015A2BE0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2B80 NtQueryInformationFile,5_2_015A2B80
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2BA0 NtEnumerateValueKey,5_2_015A2BA0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2AF0 NtWriteFile,5_2_015A2AF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2AB0 NtWaitForSingleObject,5_2_015A2AB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2D00 NtSetInformationFile,5_2_015A2D00
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2DB0 NtEnumerateKey,5_2_015A2DB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2C60 NtCreateKey,5_2_015A2C60
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2C00 NtQueryInformationProcess,5_2_015A2C00
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2CC0 NtQueryVirtualMemory,5_2_015A2CC0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2CF0 NtOpenProcess,5_2_015A2CF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2F60 NtCreateProcessEx,5_2_015A2F60
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2FA0 NtQuerySection,5_2_015A2FA0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2E30 NtWriteVirtualMemory,5_2_015A2E30
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2EE0 NtQueueApcThread,5_2_015A2EE0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A3010 NtOpenDirectoryObject,5_2_015A3010
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A3090 NtSetValueKey,5_2_015A3090
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A35C0 NtCreateMutant,5_2_015A35C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A39B0 NtGetContextThread,5_2_015A39B0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A3D70 NtOpenThread,5_2_015A3D70
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A3D10 NtOpenProcessToken,5_2_015A3D10
          Source: C:\Windows\explorer.exeCode function: 6_2_0E391232 NtCreateFile,6_2_0E391232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E392E12 NtProtectVirtualMemory,6_2_0E392E12
          Source: C:\Windows\explorer.exeCode function: 6_2_0E392E0A NtProtectVirtualMemory,6_2_0E392E0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82B60 NtClose,LdrInitializeThunk,8_2_03C82B60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82AD0 NtReadFile,LdrInitializeThunk,8_2_03C82AD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82FE0 NtCreateFile,LdrInitializeThunk,8_2_03C82FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82F30 NtCreateSection,LdrInitializeThunk,8_2_03C82F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03C82EA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82DD0 NtDelayExecution,LdrInitializeThunk,8_2_03C82DD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03C82DF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82D10 NtMapViewOfSection,LdrInitializeThunk,8_2_03C82D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_03C82CA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82C60 NtCreateKey,LdrInitializeThunk,8_2_03C82C60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_03C82C70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C835C0 NtCreateMutant,LdrInitializeThunk,8_2_03C835C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C84340 NtSetContextThread,8_2_03C84340
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C84650 NtSuspendThread,8_2_03C84650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82BE0 NtQueryValueKey,8_2_03C82BE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82BF0 NtAllocateVirtualMemory,8_2_03C82BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82B80 NtQueryInformationFile,8_2_03C82B80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82BA0 NtEnumerateValueKey,8_2_03C82BA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82AF0 NtWriteFile,8_2_03C82AF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82AB0 NtWaitForSingleObject,8_2_03C82AB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82F90 NtProtectVirtualMemory,8_2_03C82F90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82FA0 NtQuerySection,8_2_03C82FA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82FB0 NtResumeThread,8_2_03C82FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82F60 NtCreateProcessEx,8_2_03C82F60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82EE0 NtQueueApcThread,8_2_03C82EE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82E80 NtReadVirtualMemory,8_2_03C82E80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82E30 NtWriteVirtualMemory,8_2_03C82E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82DB0 NtEnumerateKey,8_2_03C82DB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82D00 NtSetInformationFile,8_2_03C82D00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82D30 NtUnmapViewOfSection,8_2_03C82D30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82CC0 NtQueryVirtualMemory,8_2_03C82CC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82CF0 NtOpenProcess,8_2_03C82CF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C82C00 NtQueryInformationProcess,8_2_03C82C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C83090 NtSetValueKey,8_2_03C83090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C83010 NtOpenDirectoryObject,8_2_03C83010
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C839B0 NtGetContextThread,8_2_03C839B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C83D70 NtOpenThread,8_2_03C83D70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C83D10 NtOpenProcessToken,8_2_03C83D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332A330 NtCreateFile,8_2_0332A330
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332A3E0 NtReadFile,8_2_0332A3E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332A460 NtClose,8_2_0332A460
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332A32A NtCreateFile,8_2_0332A32A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332A3DA NtReadFile,8_2_0332A3DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332A2EA NtCreateFile,8_2_0332A2EA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332A45E NtClose,8_2_0332A45E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AF9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,8_2_03AF9BAF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AFA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,8_2_03AFA036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AF9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_03AF9BB2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AFA042 NtQueryInformationProcess,8_2_03AFA042
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 0_2_0148DE4C0_2_0148DE4C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 0_2_076B3B080_2_076B3B08
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041D89D5_2_0041D89D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041DA885_2_0041DA88
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041DBA85_2_0041DBA8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00409E5B5_2_00409E5B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041DFD55_2_0041DFD5
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041E7925_2_0041E792
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F81585_2_015F8158
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015601005_2_01560100
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160A1185_2_0160A118
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016281CC5_2_016281CC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016241A25_2_016241A2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016301AA5_2_016301AA
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016020005_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162A3525_2_0162A352
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016303E65_2_016303E6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E3F05_2_0157E3F0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016102745_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F02C05_2_015F02C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015705355_2_01570535
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016305915_2_01630591
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016224465_2_01622446
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016144205_2_01614420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161E4F65_2_0161E4F6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015947505_2_01594750
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015707705_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156C7C05_2_0156C7C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158C6E05_2_0158C6E0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015869625_2_01586962
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0163A9A65_2_0163A9A6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A05_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015728405_2_01572840
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157A8405_2_0157A840
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E8F05_2_0159E8F0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015568B85_2_015568B8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162AB405_2_0162AB40
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01626BD75_2_01626BD7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156EA805_2_0156EA80
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157AD005_2_0157AD00
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160CD1F5_2_0160CD1F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156ADE05_2_0156ADE0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01588DBF5_2_01588DBF
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570C005_2_01570C00
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560CF25_2_01560CF2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610CB55_2_01610CB5
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E4F405_2_015E4F40
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01612F305_2_01612F30
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01590F305_2_01590F30
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015B2F285_2_015B2F28
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01562FC85_2_01562FC8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157CFE05_2_0157CFE0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EEFA05_2_015EEFA0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570E595_2_01570E59
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162EE265_2_0162EE26
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162EEDB5_2_0162EEDB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01582E905_2_01582E90
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162CE935_2_0162CE93
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0163B16B5_2_0163B16B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155F1725_2_0155F172
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A516C5_2_015A516C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157B1B05_2_0157B1B0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162F0E05_2_0162F0E0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016270E95_2_016270E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015770C05_2_015770C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161F0CC5_2_0161F0CC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155D34C5_2_0155D34C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162132D5_2_0162132D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015B739A5_2_015B739A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016112ED5_2_016112ED
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158B2C05_2_0158B2C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015752A05_2_015752A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016275715_2_01627571
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016395C35_2_016395C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160D5B05_2_0160D5B0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015614605_2_01561460
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162F43F5_2_0162F43F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162F7B05_2_0162F7B0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015B56305_2_015B5630
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016216CC5_2_016216CC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015799505_2_01579950
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158B9505_2_0158B950
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016059105_2_01605910
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DD8005_2_015DD800
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015738E05_2_015738E0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162FB765_2_0162FB76
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015ADBF95_2_015ADBF9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E5BF05_2_015E5BF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158FB805_2_0158FB80
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01627A465_2_01627A46
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162FA495_2_0162FA49
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E3A6C5_2_015E3A6C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161DAC65_2_0161DAC6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01611AA35_2_01611AA3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160DAAC5_2_0160DAAC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015B5AA05_2_015B5AA0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01627D735_2_01627D73
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01573D405_2_01573D40
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01621D5A5_2_01621D5A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158FDC05_2_0158FDC0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E9C325_2_015E9C32
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162FCF25_2_0162FCF2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162FF095_2_0162FF09
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01533FD25_2_01533FD2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01533FD55_2_01533FD5
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01571F925_2_01571F92
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162FFB15_2_0162FFB1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01579EB05_2_01579EB0
          Source: C:\Windows\explorer.exeCode function: 6_2_0E2012326_2_0E201232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E1FBB326_2_0E1FBB32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E1FBB306_2_0E1FBB30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E2000366_2_0E200036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E1F70826_2_0E1F7082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E1FE9126_2_0E1FE912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E1F8D026_2_0E1F8D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E2045CD6_2_0E2045CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3912326_2_0E391232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3900366_2_0E390036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3870826_2_0E387082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E38BB306_2_0E38BB30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E38BB326_2_0E38BB32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E38E9126_2_0E38E912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E388D026_2_0E388D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3945CD6_2_0E3945CD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A65EB08_2_00A65EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C5E3F08_2_03C5E3F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D103E68_2_03D103E6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0A3528_2_03D0A352
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD02C08_2_03CD02C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF02748_2_03CF0274
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D081CC8_2_03D081CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D041A28_2_03D041A2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D101AA8_2_03D101AA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD81588_2_03CD8158
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C401008_2_03C40100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CEA1188_2_03CEA118
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CE20008_2_03CE2000
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C4C7C08_2_03C4C7C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C747508_2_03C74750
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C507708_2_03C50770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C6C6E08_2_03C6C6E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D105918_2_03D10591
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C505358_2_03C50535
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CFE4F68_2_03CFE4F6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D024468_2_03D02446
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF44208_2_03CF4420
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D06BD78_2_03D06BD7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0AB408_2_03D0AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C4EA808_2_03C4EA80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C529A08_2_03C529A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D1A9A68_2_03D1A9A6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C669628_2_03C66962
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C7E8F08_2_03C7E8F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C368B88_2_03C368B8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C528408_2_03C52840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C5A8408_2_03C5A840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C42FC88_2_03C42FC8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C5CFE08_2_03C5CFE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CCEFA08_2_03CCEFA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC4F408_2_03CC4F40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C92F288_2_03C92F28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C70F308_2_03C70F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF2F308_2_03CF2F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0EEDB8_2_03D0EEDB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0CE938_2_03D0CE93
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C62E908_2_03C62E90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C50E598_2_03C50E59
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0EE268_2_03D0EE26
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C4ADE08_2_03C4ADE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C68DBF8_2_03C68DBF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C5AD008_2_03C5AD00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CECD1F8_2_03CECD1F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C40CF28_2_03C40CF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF0CB58_2_03CF0CB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C50C008_2_03C50C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C9739A8_2_03C9739A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C3D34C8_2_03C3D34C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0132D8_2_03D0132D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C6B2C08_2_03C6B2C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF12ED8_2_03CF12ED
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C552A08_2_03C552A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C5B1B08_2_03C5B1B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C8516C8_2_03C8516C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C3F1728_2_03C3F172
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D1B16B8_2_03D1B16B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CFF0CC8_2_03CFF0CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C570C08_2_03C570C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0F0E08_2_03D0F0E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D070E98_2_03D070E9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0F7B08_2_03D0F7B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D016CC8_2_03D016CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C956308_2_03C95630
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D195C38_2_03D195C3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CED5B08_2_03CED5B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D075718_2_03D07571
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C414608_2_03C41460
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0F43F8_2_03D0F43F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C8DBF98_2_03C8DBF9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC5BF08_2_03CC5BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C6FB808_2_03C6FB80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0FB768_2_03D0FB76
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CFDAC68_2_03CFDAC6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CEDAAC8_2_03CEDAAC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C95AA08_2_03C95AA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF1AA38_2_03CF1AA3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D07A468_2_03D07A46
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0FA498_2_03D0FA49
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC3A6C8_2_03CC3A6C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C599508_2_03C59950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C6B9508_2_03C6B950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CE59108_2_03CE5910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C538E08_2_03C538E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CBD8008_2_03CBD800
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C13FD28_2_03C13FD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C13FD58_2_03C13FD5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C51F928_2_03C51F92
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0FFB18_2_03D0FFB1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0FF098_2_03D0FF09
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C59EB08_2_03C59EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C6FDC08_2_03C6FDC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C53D408_2_03C53D40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D01D5A8_2_03D01D5A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D07D738_2_03D07D73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0FCF28_2_03D0FCF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC9C328_2_03CC9C32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332E7928_2_0332E792
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03312FB08_2_03312FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03319E608_2_03319E60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03319E5B8_2_03319E5B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03312D908_2_03312D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03312D878_2_03312D87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AFA0368_2_03AFA036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AF5B328_2_03AF5B32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AF5B308_2_03AF5B30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AFB2328_2_03AFB232
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AF89128_2_03AF8912
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AF10828_2_03AF1082
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AFE5CD8_2_03AFE5CD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AF2D028_2_03AF2D02
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: String function: 015B7E54 appears 111 times
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: String function: 015EF290 appears 105 times
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: String function: 015A5130 appears 58 times
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: String function: 015DEA12 appears 86 times
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: String function: 0155B970 appears 280 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03C85130 appears 58 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03C3B970 appears 280 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03CBEA12 appears 86 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03C97E54 appears 111 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03CCF290 appears 105 times
          Source: RFQ-1024.exeStatic PE information: invalid certificate
          Source: RFQ-1024.exe, 00000000.00000002.2150735906.000000000405C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ-1024.exe
          Source: RFQ-1024.exe, 00000000.00000002.2155385315.0000000007E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ-1024.exe
          Source: RFQ-1024.exe, 00000000.00000002.2149060346.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ-1024.exe
          Source: RFQ-1024.exe, 00000005.00000002.2203220637.00000000014DC000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs RFQ-1024.exe
          Source: RFQ-1024.exe, 00000005.00000002.2202774842.0000000001034000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs RFQ-1024.exe
          Source: RFQ-1024.exe, 00000005.00000002.2202774842.0000000001015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs RFQ-1024.exe
          Source: RFQ-1024.exe, 00000005.00000002.2203344738.000000000165D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ-1024.exe
          Source: RFQ-1024.exeBinary or memory string: OriginalFilenamejbBL.exe, vs RFQ-1024.exe
          Source: RFQ-1024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: RFQ-1024.exe PID: 2940, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RFQ-1024.exe PID: 4608, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
          Source: Process Memory Space: netsh.exe PID: 6140, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: RFQ-1024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, DKDGSILKWr1sUAkRcV.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, DKDGSILKWr1sUAkRcV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, DKDGSILKWr1sUAkRcV.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, DKDGSILKWr1sUAkRcV.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, DKDGSILKWr1sUAkRcV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, DKDGSILKWr1sUAkRcV.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, mGc0aZaaF2V7llp0mh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, mGc0aZaaF2V7llp0mh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/6@11/0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A67DFA FormatMessageW,GetLastError,wprintf,GetStdHandle,LocalFree,8_2_00A67DFA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A68D48 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysAllocString,SysAllocString,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,8_2_00A68D48
          Source: C:\Users\user\Desktop\RFQ-1024.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ-1024.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Users\user\Desktop\RFQ-1024.exeMutant created: \Sessions\1\BaseNamedObjects\RFhDCUtfvHLuHYKmvT
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzv4q0z5.ktp.ps1Jump to behavior
          Source: RFQ-1024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: RFQ-1024.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\RFQ-1024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: RFQ-1024.exeReversingLabs: Detection: 60%
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ-1024.exe "C:\Users\user\Desktop\RFQ-1024.exe"
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Users\user\Desktop\RFQ-1024.exe "C:\Users\user\Desktop\RFQ-1024.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ-1024.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Users\user\Desktop\RFQ-1024.exe "C:\Users\user\Desktop\RFQ-1024.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ-1024.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: RFQ-1024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: RFQ-1024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: RFQ-1024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: jbBL.pdb source: RFQ-1024.exe
          Source: Binary string: jbBL.pdbSHA256 source: RFQ-1024.exe
          Source: Binary string: netsh.pdb source: RFQ-1024.exe, 00000005.00000002.2203220637.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000001015000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: RFQ-1024.exe, 00000005.00000002.2203220637.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, RFQ-1024.exe, 00000005.00000002.2202774842.0000000001015000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ-1024.exe, 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2202893581.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2204803044.0000000003A60000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RFQ-1024.exe, RFQ-1024.exe, 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.2202893581.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2204803044.0000000003A60000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: RFQ-1024.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ-1024.exe.2ea41bc.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ-1024.exe.59a0000.3.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ-1024.exe.2ead7d4.1.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, DKDGSILKWr1sUAkRcV.cs.Net Code: X7N7RI37Nx System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, DKDGSILKWr1sUAkRcV.cs.Net Code: X7N7RI37Nx System.Reflection.Assembly.Load(byte[])
          Source: 6.2.explorer.exe.1083f840.0.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 8.2.netsh.exe.415f840.3.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: RFQ-1024.exeStatic PE information: 0xD69A6D8B [Thu Feb 3 19:33:31 2084 UTC]
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00416825 push ecx; iretd 5_2_00416829
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_004168EA push ecx; ret 5_2_004168F6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00417116 push ss; iretd 5_2_00417118
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00417132 push ecx; iretd 5_2_00417133
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041E9B2 push edx; iretd 5_2_0041E9B3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041EA0C push 6B25699Fh; iretd 5_2_0041EA11
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00416B3D push ds; retf 5_2_00416B4E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0040A47D pushad ; ret 5_2_0040A47E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041D4D2 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041D4DB push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041D485 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0041D53C push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0153225F pushad ; ret 5_2_015327F9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015327FA pushad ; ret 5_2_015327F9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015609AD push ecx; mov dword ptr [esp], ecx5_2_015609B6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0153283D push eax; iretd 5_2_01532858
          Source: C:\Windows\explorer.exeCode function: 6_2_0E204B02 push esp; retn 0000h6_2_0E204B03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E204B1E push esp; retn 0000h6_2_0E204B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E2049B5 push esp; retn 0000h6_2_0E204AE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0E394B1E push esp; retn 0000h6_2_0E394B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E394B02 push esp; retn 0000h6_2_0E394B03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3949B5 push esp; retn 0000h6_2_0E394AE7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A69C4D push ecx; ret 8_2_00A69C60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C1225F pushad ; ret 8_2_03C127F9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C127FA pushad ; ret 8_2_03C127F9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C409AD push ecx; mov dword ptr [esp], ecx8_2_03C409B6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C1283D push eax; iretd 8_2_03C12858
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C1134F push eax; iretd 8_2_03C11369
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03327132 push ecx; iretd 8_2_03327133
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03327116 push ss; iretd 8_2_03327118
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0332D53C push eax; ret 8_2_0332D542
          Source: RFQ-1024.exeStatic PE information: section name: .text entropy: 7.850178161565513
          Source: 0.2.RFQ-1024.exe.2ea41bc.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
          Source: 0.2.RFQ-1024.exe.59a0000.3.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
          Source: 0.2.RFQ-1024.exe.2ead7d4.1.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, KsthO2rpR2TrIt47hJ.csHigh entropy of concatenated method names: 'qPqO2SV9R0', 'zMgO4CKjCR', 'OTlOd62AeZ', 'zJoO3AOwCl', 'yqKOLuSyvh', 'cslOUS5u7d', 'KsKOWdOxCb', 'cD5OQm2wLe', 'eiFOHUUIkR', 'sOtOPVnIhR'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, ugSb76vjJW7uVxJWjB.csHigh entropy of concatenated method names: 'ToString', 'GRTUq0JpEu', 'HqrU9FH5hY', 'qLDUJvbGLJ', 'IrsUF1EF3P', 'zSSU1cXK1P', 'y32UT4xdSc', 'gZhUrhENuh', 'FMBU5vBPb4', 'OGNUZWyqS0'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, apeMVRZ2Yf5tZVGWUeC.csHigh entropy of concatenated method names: 'xYRH6vdv4i', 'fj1HlKL1bf', 'JrjHRIBs8D', 'XFhH2ZlLDt', 'TpsHXyA3IL', 'SjjH4wtl4j', 'SVqHV4n8wi', 'EhaHddVBbm', 'lwiH3FV0iv', 'sOmHal9bXW'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, beU0PVluDvNWxtL613.csHigh entropy of concatenated method names: 'Y5NHw7RIAP', 'OlKHKp5pac', 'dE4H7gPJh2', 'P3vHGUeImW', 'Y9jHu2exd2', 'emkHicf8xt', 'BCkHCW2FKS', 'jSeQYHm10B', 'KMBQg0QMd4', 'IP2QnSf8Hc'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, DKDGSILKWr1sUAkRcV.csHigh entropy of concatenated method names: 'HOjKSV6G7V', 'yP9KGttKYO', 'mDgKuSlZxR', 'MhrKO8pVsg', 'CpuKiURAwC', 'Dr3KC4l6MZ', 'mE6KE2icDa', 'sAoKos7SCl', 'ckeKvUo07O', 'z1hKxMd2F1'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, Uj6uLUOAyqL3vvgS53.csHigh entropy of concatenated method names: 'cSywEwlobo', 'woNwovAS1y', 'xfnwxg8ium', 'Xoews4gom1', 'PVtwLnLuVP', 'r7CwUexY6k', 'fGpkZqn5P7Ce6Qgt9f', 'RB7Y4eiBfXssYgVBnE', 'ikywwjElK5', 'E3IwKR7p9R'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, QIKLNpZhSP0qYDW2HKA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oMnPhkBUfP', 'Gj1Pf9lTmH', 'dXGP8Rn68E', 'hePPeMpfn3', 'QjkPBN5MJF', 'ochPN25ogX', 'eD5PYKmFAc'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, SxeQdVNiisfAyNXHcM.csHigh entropy of concatenated method names: 'jqTRnWASw', 'nvk23kXC2', 'SS14Bhfic', 'dpVVxX0IQ', 'Ts635p9Qp', 'c04agTmKZ', 'oT6wNFS5eb7wypQe70', 'bp3sWQvV90L5psD1xY', 'hcSQ9NR7c', 'qDnPcxXxZ'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, DDtEITYKBP2TQNwmXU.csHigh entropy of concatenated method names: 'MpOQGWLoiH', 'mQuQuZ0NIw', 'AouQOhwJAg', 'jPmQiAZUZx', 'SZ3QCWiTse', 'sKeQEFb2V9', 'HH6QobhBJ0', 'ScTQvPpGjQ', 'etKQx1iMcd', 'IBiQssi3NP'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, wh4f0m14fKvdY8kCLj.csHigh entropy of concatenated method names: 'Dispose', 'yicwnS0Tm7', 'ndnc930ZmF', 'ncbbb9uOZb', 'B8HwMICCke', 'PWZwziGx4P', 'ProcessDialogKey', 'Bxrctn1Yca', 'vvXcw6J8VB', 'HLyccyNB1J'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, y6Vi9X7lY5FoNUXppJ.csHigh entropy of concatenated method names: 'z3lE6cqbK6', 'r54Elm4Ba0', 'DTKERYnS0Q', 'iqfE2gT5eq', 'ITeEXKaQHV', 'vIeE4rwXdJ', 'ph3EV69P2t', 'wFUEd3q84B', 'sNgE3Fdeph', 'CXnEarJFlD'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, oLmKqIAbs6Ov3LHuwH.csHigh entropy of concatenated method names: 'TkLQIxPLlc', 'sPeQ92e2jL', 'PkwQJnGwOr', 'd04QFx9pAs', 'oDCQhslDTr', 'LsFQ1wUjgi', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, adPoQLxDbuCc3GxKeI.csHigh entropy of concatenated method names: 'vqdpdtq6Zc', 'IDyp3N19GO', 'PcUpIMhMb8', 'FHMp9vXacu', 'J9hpFaqBtF', 'nBep1Oti4o', 'CuEprGKVvi', 'Y6Up5gwsMy', 'TaqpA3t8Eo', 'fsppqln2YO'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, cTWCv6uG0JEG4Rl8IQ.csHigh entropy of concatenated method names: 'PnsWgFKNHk', 'wlFWMftaoD', 'yjRQtjHHQu', 'c0tQw8AkTK', 'XweWq6hxI1', 'hktWj5ZPf8', 'RsTWDXIKwQ', 'E0wWhN9RKr', 'XFpWfZ76X8', 'dOKW8kvMcy'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, duMZhUpvGi9RHB5XdD.csHigh entropy of concatenated method names: 'CfUCSCeWM1', 'h7QCuou8cW', 'lxGCiMcZ0l', 'cZgCE2wFdI', 'PToCocUH4h', 'MyhiBId7OP', 'mBAiNxTDgt', 'zruiY3P4Zu', 'xSoigmVDjS', 'bZ1inh5HCc'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, lW8qQ1z0LMw3CN4p3g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TXqHpm11Fp', 'S0bHLLavIh', 'HUAHUBhFfM', 'qaqHWw6tB7', 'MLSHQrojjh', 'd7QHHSkeJi', 'en5HPyCFdc'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, VmnbCZyoKkFUmDM8MS.csHigh entropy of concatenated method names: 'KBcLAIlR4e', 'JexLjITx4o', 'ds7Lh6peSM', 'rk9LfJfWhe', 'fshL9A8RVC', 'Ok6LJw0vEY', 'nC3LFxMqoO', 'uhsL1OdyL4', 'xARLTY9bHb', 'r0hLrG3Tyj'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, OkAVafmq0q2cDrS9c4.csHigh entropy of concatenated method names: 'M8fWxdKhhf', 'eSFWsG1pWY', 'ToString', 'NfwWGuBv2x', 'TKCWuhEf9O', 'l7kWOVojJQ', 'vM6WiwPPmh', 'rQYWC0sYiU', 'oZoWEjvPAC', 'BKNWoQsmA7'
          Source: 0.2.RFQ-1024.exe.7e80000.4.raw.unpack, mGc0aZaaF2V7llp0mh.csHigh entropy of concatenated method names: 'r2WuhJf5Tc', 'IRjufbkXp8', 'zTQu8HDeWJ', 'RIwuesGZ7H', 'oBquBvPieM', 'w0IuNDbi8k', 'UdhuY9JKp4', 'xHlug1mwkd', 'nP3unmVKHs', 'hcquMHSObt'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, KsthO2rpR2TrIt47hJ.csHigh entropy of concatenated method names: 'qPqO2SV9R0', 'zMgO4CKjCR', 'OTlOd62AeZ', 'zJoO3AOwCl', 'yqKOLuSyvh', 'cslOUS5u7d', 'KsKOWdOxCb', 'cD5OQm2wLe', 'eiFOHUUIkR', 'sOtOPVnIhR'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, ugSb76vjJW7uVxJWjB.csHigh entropy of concatenated method names: 'ToString', 'GRTUq0JpEu', 'HqrU9FH5hY', 'qLDUJvbGLJ', 'IrsUF1EF3P', 'zSSU1cXK1P', 'y32UT4xdSc', 'gZhUrhENuh', 'FMBU5vBPb4', 'OGNUZWyqS0'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, apeMVRZ2Yf5tZVGWUeC.csHigh entropy of concatenated method names: 'xYRH6vdv4i', 'fj1HlKL1bf', 'JrjHRIBs8D', 'XFhH2ZlLDt', 'TpsHXyA3IL', 'SjjH4wtl4j', 'SVqHV4n8wi', 'EhaHddVBbm', 'lwiH3FV0iv', 'sOmHal9bXW'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, beU0PVluDvNWxtL613.csHigh entropy of concatenated method names: 'Y5NHw7RIAP', 'OlKHKp5pac', 'dE4H7gPJh2', 'P3vHGUeImW', 'Y9jHu2exd2', 'emkHicf8xt', 'BCkHCW2FKS', 'jSeQYHm10B', 'KMBQg0QMd4', 'IP2QnSf8Hc'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, DKDGSILKWr1sUAkRcV.csHigh entropy of concatenated method names: 'HOjKSV6G7V', 'yP9KGttKYO', 'mDgKuSlZxR', 'MhrKO8pVsg', 'CpuKiURAwC', 'Dr3KC4l6MZ', 'mE6KE2icDa', 'sAoKos7SCl', 'ckeKvUo07O', 'z1hKxMd2F1'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, Uj6uLUOAyqL3vvgS53.csHigh entropy of concatenated method names: 'cSywEwlobo', 'woNwovAS1y', 'xfnwxg8ium', 'Xoews4gom1', 'PVtwLnLuVP', 'r7CwUexY6k', 'fGpkZqn5P7Ce6Qgt9f', 'RB7Y4eiBfXssYgVBnE', 'ikywwjElK5', 'E3IwKR7p9R'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, QIKLNpZhSP0qYDW2HKA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oMnPhkBUfP', 'Gj1Pf9lTmH', 'dXGP8Rn68E', 'hePPeMpfn3', 'QjkPBN5MJF', 'ochPN25ogX', 'eD5PYKmFAc'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, SxeQdVNiisfAyNXHcM.csHigh entropy of concatenated method names: 'jqTRnWASw', 'nvk23kXC2', 'SS14Bhfic', 'dpVVxX0IQ', 'Ts635p9Qp', 'c04agTmKZ', 'oT6wNFS5eb7wypQe70', 'bp3sWQvV90L5psD1xY', 'hcSQ9NR7c', 'qDnPcxXxZ'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, DDtEITYKBP2TQNwmXU.csHigh entropy of concatenated method names: 'MpOQGWLoiH', 'mQuQuZ0NIw', 'AouQOhwJAg', 'jPmQiAZUZx', 'SZ3QCWiTse', 'sKeQEFb2V9', 'HH6QobhBJ0', 'ScTQvPpGjQ', 'etKQx1iMcd', 'IBiQssi3NP'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, wh4f0m14fKvdY8kCLj.csHigh entropy of concatenated method names: 'Dispose', 'yicwnS0Tm7', 'ndnc930ZmF', 'ncbbb9uOZb', 'B8HwMICCke', 'PWZwziGx4P', 'ProcessDialogKey', 'Bxrctn1Yca', 'vvXcw6J8VB', 'HLyccyNB1J'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, y6Vi9X7lY5FoNUXppJ.csHigh entropy of concatenated method names: 'z3lE6cqbK6', 'r54Elm4Ba0', 'DTKERYnS0Q', 'iqfE2gT5eq', 'ITeEXKaQHV', 'vIeE4rwXdJ', 'ph3EV69P2t', 'wFUEd3q84B', 'sNgE3Fdeph', 'CXnEarJFlD'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, oLmKqIAbs6Ov3LHuwH.csHigh entropy of concatenated method names: 'TkLQIxPLlc', 'sPeQ92e2jL', 'PkwQJnGwOr', 'd04QFx9pAs', 'oDCQhslDTr', 'LsFQ1wUjgi', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, adPoQLxDbuCc3GxKeI.csHigh entropy of concatenated method names: 'vqdpdtq6Zc', 'IDyp3N19GO', 'PcUpIMhMb8', 'FHMp9vXacu', 'J9hpFaqBtF', 'nBep1Oti4o', 'CuEprGKVvi', 'Y6Up5gwsMy', 'TaqpA3t8Eo', 'fsppqln2YO'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, cTWCv6uG0JEG4Rl8IQ.csHigh entropy of concatenated method names: 'PnsWgFKNHk', 'wlFWMftaoD', 'yjRQtjHHQu', 'c0tQw8AkTK', 'XweWq6hxI1', 'hktWj5ZPf8', 'RsTWDXIKwQ', 'E0wWhN9RKr', 'XFpWfZ76X8', 'dOKW8kvMcy'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, duMZhUpvGi9RHB5XdD.csHigh entropy of concatenated method names: 'CfUCSCeWM1', 'h7QCuou8cW', 'lxGCiMcZ0l', 'cZgCE2wFdI', 'PToCocUH4h', 'MyhiBId7OP', 'mBAiNxTDgt', 'zruiY3P4Zu', 'xSoigmVDjS', 'bZ1inh5HCc'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, lW8qQ1z0LMw3CN4p3g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TXqHpm11Fp', 'S0bHLLavIh', 'HUAHUBhFfM', 'qaqHWw6tB7', 'MLSHQrojjh', 'd7QHHSkeJi', 'en5HPyCFdc'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, VmnbCZyoKkFUmDM8MS.csHigh entropy of concatenated method names: 'KBcLAIlR4e', 'JexLjITx4o', 'ds7Lh6peSM', 'rk9LfJfWhe', 'fshL9A8RVC', 'Ok6LJw0vEY', 'nC3LFxMqoO', 'uhsL1OdyL4', 'xARLTY9bHb', 'r0hLrG3Tyj'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, OkAVafmq0q2cDrS9c4.csHigh entropy of concatenated method names: 'M8fWxdKhhf', 'eSFWsG1pWY', 'ToString', 'NfwWGuBv2x', 'TKCWuhEf9O', 'l7kWOVojJQ', 'vM6WiwPPmh', 'rQYWC0sYiU', 'oZoWEjvPAC', 'BKNWoQsmA7'
          Source: 0.2.RFQ-1024.exe.406b960.2.raw.unpack, mGc0aZaaF2V7llp0mh.csHigh entropy of concatenated method names: 'r2WuhJf5Tc', 'IRjufbkXp8', 'zTQu8HDeWJ', 'RIwuesGZ7H', 'oBquBvPieM', 'w0IuNDbi8k', 'UdhuY9JKp4', 'xHlug1mwkd', 'nP3unmVKHs', 'hcquMHSObt'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\RFQ-1024.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Users\user\Desktop\RFQ-1024.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Users\user\Desktop\RFQ-1024.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Users\user\Desktop\RFQ-1024.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Users\user\Desktop\RFQ-1024.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Source: C:\Users\user\Desktop\RFQ-1024.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\RFQ-1024.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ-1024.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 3319904 second address: 331990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 3319B7E second address: 3319B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: 1440000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: 8030000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: 9030000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: 91F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: A1F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6467Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3131Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1992Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7952Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 2056Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 7916Jump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\netsh.exeAPI coverage: 1.4 %
          Source: C:\Users\user\Desktop\RFQ-1024.exe TID: 3728Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7072Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5752Thread sleep count: 1992 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5752Thread sleep time: -3984000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5752Thread sleep count: 7952 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5752Thread sleep time: -15904000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6208Thread sleep count: 2056 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6208Thread sleep time: -4112000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6208Thread sleep count: 7916 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6208Thread sleep time: -15832000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\RFQ-1024.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
          Source: explorer.exe, 00000006.00000002.4569132555.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
          Source: explorer.exe, 00000006.00000003.2979402480.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
          Source: explorer.exe, 00000006.00000002.4569132555.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000006.00000000.2133976960.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2133976960.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
          Source: explorer.exe, 00000006.00000002.4569132555.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000006.00000003.2979402480.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
          Source: explorer.exe, 00000006.00000000.2133976960.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000003.2979402480.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000006.00000000.2133976960.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566154 mov eax, dword ptr fs:[00000030h]5_2_01566154
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566154 mov eax, dword ptr fs:[00000030h]5_2_01566154
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155C156 mov eax, dword ptr fs:[00000030h]5_2_0155C156
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F8158 mov eax, dword ptr fs:[00000030h]5_2_015F8158
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634164 mov eax, dword ptr fs:[00000030h]5_2_01634164
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634164 mov eax, dword ptr fs:[00000030h]5_2_01634164
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F4144 mov eax, dword ptr fs:[00000030h]5_2_015F4144
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F4144 mov eax, dword ptr fs:[00000030h]5_2_015F4144
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F4144 mov ecx, dword ptr fs:[00000030h]5_2_015F4144
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F4144 mov eax, dword ptr fs:[00000030h]5_2_015F4144
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F4144 mov eax, dword ptr fs:[00000030h]5_2_015F4144
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov eax, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov ecx, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov eax, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov eax, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov ecx, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov eax, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov eax, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov ecx, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov eax, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E10E mov ecx, dword ptr fs:[00000030h]5_2_0160E10E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01620115 mov eax, dword ptr fs:[00000030h]5_2_01620115
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160A118 mov ecx, dword ptr fs:[00000030h]5_2_0160A118
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160A118 mov eax, dword ptr fs:[00000030h]5_2_0160A118
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160A118 mov eax, dword ptr fs:[00000030h]5_2_0160A118
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160A118 mov eax, dword ptr fs:[00000030h]5_2_0160A118
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01590124 mov eax, dword ptr fs:[00000030h]5_2_01590124
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016361E5 mov eax, dword ptr fs:[00000030h]5_2_016361E5
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE1D0 mov eax, dword ptr fs:[00000030h]5_2_015DE1D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE1D0 mov eax, dword ptr fs:[00000030h]5_2_015DE1D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE1D0 mov ecx, dword ptr fs:[00000030h]5_2_015DE1D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE1D0 mov eax, dword ptr fs:[00000030h]5_2_015DE1D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE1D0 mov eax, dword ptr fs:[00000030h]5_2_015DE1D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016261C3 mov eax, dword ptr fs:[00000030h]5_2_016261C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016261C3 mov eax, dword ptr fs:[00000030h]5_2_016261C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015901F8 mov eax, dword ptr fs:[00000030h]5_2_015901F8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E019F mov eax, dword ptr fs:[00000030h]5_2_015E019F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E019F mov eax, dword ptr fs:[00000030h]5_2_015E019F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E019F mov eax, dword ptr fs:[00000030h]5_2_015E019F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E019F mov eax, dword ptr fs:[00000030h]5_2_015E019F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155A197 mov eax, dword ptr fs:[00000030h]5_2_0155A197
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155A197 mov eax, dword ptr fs:[00000030h]5_2_0155A197
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155A197 mov eax, dword ptr fs:[00000030h]5_2_0155A197
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A0185 mov eax, dword ptr fs:[00000030h]5_2_015A0185
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01604180 mov eax, dword ptr fs:[00000030h]5_2_01604180
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01604180 mov eax, dword ptr fs:[00000030h]5_2_01604180
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161C188 mov eax, dword ptr fs:[00000030h]5_2_0161C188
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161C188 mov eax, dword ptr fs:[00000030h]5_2_0161C188
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01562050 mov eax, dword ptr fs:[00000030h]5_2_01562050
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6050 mov eax, dword ptr fs:[00000030h]5_2_015E6050
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158C073 mov eax, dword ptr fs:[00000030h]5_2_0158C073
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E016 mov eax, dword ptr fs:[00000030h]5_2_0157E016
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E016 mov eax, dword ptr fs:[00000030h]5_2_0157E016
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E016 mov eax, dword ptr fs:[00000030h]5_2_0157E016
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E016 mov eax, dword ptr fs:[00000030h]5_2_0157E016
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E4000 mov ecx, dword ptr fs:[00000030h]5_2_015E4000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01602000 mov eax, dword ptr fs:[00000030h]5_2_01602000
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F6030 mov eax, dword ptr fs:[00000030h]5_2_015F6030
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155A020 mov eax, dword ptr fs:[00000030h]5_2_0155A020
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155C020 mov eax, dword ptr fs:[00000030h]5_2_0155C020
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E20DE mov eax, dword ptr fs:[00000030h]5_2_015E20DE
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155C0F0 mov eax, dword ptr fs:[00000030h]5_2_0155C0F0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A20F0 mov ecx, dword ptr fs:[00000030h]5_2_015A20F0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0155A0E3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E60E0 mov eax, dword ptr fs:[00000030h]5_2_015E60E0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015680E9 mov eax, dword ptr fs:[00000030h]5_2_015680E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016260B8 mov eax, dword ptr fs:[00000030h]5_2_016260B8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016260B8 mov ecx, dword ptr fs:[00000030h]5_2_016260B8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156208A mov eax, dword ptr fs:[00000030h]5_2_0156208A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015580A0 mov eax, dword ptr fs:[00000030h]5_2_015580A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F80A8 mov eax, dword ptr fs:[00000030h]5_2_015F80A8
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E035C mov eax, dword ptr fs:[00000030h]5_2_015E035C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E035C mov eax, dword ptr fs:[00000030h]5_2_015E035C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E035C mov eax, dword ptr fs:[00000030h]5_2_015E035C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E035C mov ecx, dword ptr fs:[00000030h]5_2_015E035C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E035C mov eax, dword ptr fs:[00000030h]5_2_015E035C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E035C mov eax, dword ptr fs:[00000030h]5_2_015E035C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E2349 mov eax, dword ptr fs:[00000030h]5_2_015E2349
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160437C mov eax, dword ptr fs:[00000030h]5_2_0160437C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0163634F mov eax, dword ptr fs:[00000030h]5_2_0163634F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162A352 mov eax, dword ptr fs:[00000030h]5_2_0162A352
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01608350 mov ecx, dword ptr fs:[00000030h]5_2_01608350
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155C310 mov ecx, dword ptr fs:[00000030h]5_2_0155C310
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01638324 mov eax, dword ptr fs:[00000030h]5_2_01638324
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01638324 mov ecx, dword ptr fs:[00000030h]5_2_01638324
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01638324 mov eax, dword ptr fs:[00000030h]5_2_01638324
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01638324 mov eax, dword ptr fs:[00000030h]5_2_01638324
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01580310 mov ecx, dword ptr fs:[00000030h]5_2_01580310
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A30B mov eax, dword ptr fs:[00000030h]5_2_0159A30B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A30B mov eax, dword ptr fs:[00000030h]5_2_0159A30B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A30B mov eax, dword ptr fs:[00000030h]5_2_0159A30B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015683C0 mov eax, dword ptr fs:[00000030h]5_2_015683C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015683C0 mov eax, dword ptr fs:[00000030h]5_2_015683C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015683C0 mov eax, dword ptr fs:[00000030h]5_2_015683C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015683C0 mov eax, dword ptr fs:[00000030h]5_2_015683C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A3C0 mov eax, dword ptr fs:[00000030h]5_2_0156A3C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A3C0 mov eax, dword ptr fs:[00000030h]5_2_0156A3C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A3C0 mov eax, dword ptr fs:[00000030h]5_2_0156A3C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A3C0 mov eax, dword ptr fs:[00000030h]5_2_0156A3C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A3C0 mov eax, dword ptr fs:[00000030h]5_2_0156A3C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A3C0 mov eax, dword ptr fs:[00000030h]5_2_0156A3C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E63C0 mov eax, dword ptr fs:[00000030h]5_2_015E63C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015963FF mov eax, dword ptr fs:[00000030h]5_2_015963FF
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E3F0 mov eax, dword ptr fs:[00000030h]5_2_0157E3F0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E3F0 mov eax, dword ptr fs:[00000030h]5_2_0157E3F0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E3F0 mov eax, dword ptr fs:[00000030h]5_2_0157E3F0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161C3CD mov eax, dword ptr fs:[00000030h]5_2_0161C3CD
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016043D4 mov eax, dword ptr fs:[00000030h]5_2_016043D4
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016043D4 mov eax, dword ptr fs:[00000030h]5_2_016043D4
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E3DB mov eax, dword ptr fs:[00000030h]5_2_0160E3DB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E3DB mov eax, dword ptr fs:[00000030h]5_2_0160E3DB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E3DB mov ecx, dword ptr fs:[00000030h]5_2_0160E3DB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160E3DB mov eax, dword ptr fs:[00000030h]5_2_0160E3DB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015703E9 mov eax, dword ptr fs:[00000030h]5_2_015703E9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01558397 mov eax, dword ptr fs:[00000030h]5_2_01558397
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01558397 mov eax, dword ptr fs:[00000030h]5_2_01558397
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01558397 mov eax, dword ptr fs:[00000030h]5_2_01558397
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158438F mov eax, dword ptr fs:[00000030h]5_2_0158438F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158438F mov eax, dword ptr fs:[00000030h]5_2_0158438F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155E388 mov eax, dword ptr fs:[00000030h]5_2_0155E388
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155E388 mov eax, dword ptr fs:[00000030h]5_2_0155E388
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155E388 mov eax, dword ptr fs:[00000030h]5_2_0155E388
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155A250 mov eax, dword ptr fs:[00000030h]5_2_0155A250
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566259 mov eax, dword ptr fs:[00000030h]5_2_01566259
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01610274 mov eax, dword ptr fs:[00000030h]5_2_01610274
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E8243 mov eax, dword ptr fs:[00000030h]5_2_015E8243
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E8243 mov ecx, dword ptr fs:[00000030h]5_2_015E8243
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161A250 mov eax, dword ptr fs:[00000030h]5_2_0161A250
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161A250 mov eax, dword ptr fs:[00000030h]5_2_0161A250
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01564260 mov eax, dword ptr fs:[00000030h]5_2_01564260
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01564260 mov eax, dword ptr fs:[00000030h]5_2_01564260
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01564260 mov eax, dword ptr fs:[00000030h]5_2_01564260
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155826B mov eax, dword ptr fs:[00000030h]5_2_0155826B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0163625D mov eax, dword ptr fs:[00000030h]5_2_0163625D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155823B mov eax, dword ptr fs:[00000030h]5_2_0155823B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A2C3 mov eax, dword ptr fs:[00000030h]5_2_0156A2C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A2C3 mov eax, dword ptr fs:[00000030h]5_2_0156A2C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A2C3 mov eax, dword ptr fs:[00000030h]5_2_0156A2C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A2C3 mov eax, dword ptr fs:[00000030h]5_2_0156A2C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A2C3 mov eax, dword ptr fs:[00000030h]5_2_0156A2C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016362D6 mov eax, dword ptr fs:[00000030h]5_2_016362D6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015702E1 mov eax, dword ptr fs:[00000030h]5_2_015702E1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015702E1 mov eax, dword ptr fs:[00000030h]5_2_015702E1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015702E1 mov eax, dword ptr fs:[00000030h]5_2_015702E1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E0283 mov eax, dword ptr fs:[00000030h]5_2_015E0283
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E0283 mov eax, dword ptr fs:[00000030h]5_2_015E0283
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E0283 mov eax, dword ptr fs:[00000030h]5_2_015E0283
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E284 mov eax, dword ptr fs:[00000030h]5_2_0159E284
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E284 mov eax, dword ptr fs:[00000030h]5_2_0159E284
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F62A0 mov eax, dword ptr fs:[00000030h]5_2_015F62A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F62A0 mov ecx, dword ptr fs:[00000030h]5_2_015F62A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F62A0 mov eax, dword ptr fs:[00000030h]5_2_015F62A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F62A0 mov eax, dword ptr fs:[00000030h]5_2_015F62A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F62A0 mov eax, dword ptr fs:[00000030h]5_2_015F62A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F62A0 mov eax, dword ptr fs:[00000030h]5_2_015F62A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01568550 mov eax, dword ptr fs:[00000030h]5_2_01568550
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01568550 mov eax, dword ptr fs:[00000030h]5_2_01568550
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159656A mov eax, dword ptr fs:[00000030h]5_2_0159656A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159656A mov eax, dword ptr fs:[00000030h]5_2_0159656A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159656A mov eax, dword ptr fs:[00000030h]5_2_0159656A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F6500 mov eax, dword ptr fs:[00000030h]5_2_015F6500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570535 mov eax, dword ptr fs:[00000030h]5_2_01570535
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570535 mov eax, dword ptr fs:[00000030h]5_2_01570535
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570535 mov eax, dword ptr fs:[00000030h]5_2_01570535
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570535 mov eax, dword ptr fs:[00000030h]5_2_01570535
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570535 mov eax, dword ptr fs:[00000030h]5_2_01570535
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570535 mov eax, dword ptr fs:[00000030h]5_2_01570535
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634500 mov eax, dword ptr fs:[00000030h]5_2_01634500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634500 mov eax, dword ptr fs:[00000030h]5_2_01634500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634500 mov eax, dword ptr fs:[00000030h]5_2_01634500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634500 mov eax, dword ptr fs:[00000030h]5_2_01634500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634500 mov eax, dword ptr fs:[00000030h]5_2_01634500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634500 mov eax, dword ptr fs:[00000030h]5_2_01634500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634500 mov eax, dword ptr fs:[00000030h]5_2_01634500
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E53E mov eax, dword ptr fs:[00000030h]5_2_0158E53E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E53E mov eax, dword ptr fs:[00000030h]5_2_0158E53E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E53E mov eax, dword ptr fs:[00000030h]5_2_0158E53E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E53E mov eax, dword ptr fs:[00000030h]5_2_0158E53E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E53E mov eax, dword ptr fs:[00000030h]5_2_0158E53E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015665D0 mov eax, dword ptr fs:[00000030h]5_2_015665D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A5D0 mov eax, dword ptr fs:[00000030h]5_2_0159A5D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A5D0 mov eax, dword ptr fs:[00000030h]5_2_0159A5D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E5CF mov eax, dword ptr fs:[00000030h]5_2_0159E5CF
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E5CF mov eax, dword ptr fs:[00000030h]5_2_0159E5CF
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C5ED mov eax, dword ptr fs:[00000030h]5_2_0159C5ED
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C5ED mov eax, dword ptr fs:[00000030h]5_2_0159C5ED
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015625E0 mov eax, dword ptr fs:[00000030h]5_2_015625E0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E5E7 mov eax, dword ptr fs:[00000030h]5_2_0158E5E7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E59C mov eax, dword ptr fs:[00000030h]5_2_0159E59C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01594588 mov eax, dword ptr fs:[00000030h]5_2_01594588
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01562582 mov eax, dword ptr fs:[00000030h]5_2_01562582
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01562582 mov ecx, dword ptr fs:[00000030h]5_2_01562582
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015845B1 mov eax, dword ptr fs:[00000030h]5_2_015845B1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015845B1 mov eax, dword ptr fs:[00000030h]5_2_015845B1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E05A7 mov eax, dword ptr fs:[00000030h]5_2_015E05A7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E05A7 mov eax, dword ptr fs:[00000030h]5_2_015E05A7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E05A7 mov eax, dword ptr fs:[00000030h]5_2_015E05A7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158245A mov eax, dword ptr fs:[00000030h]5_2_0158245A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155645D mov eax, dword ptr fs:[00000030h]5_2_0155645D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159E443 mov eax, dword ptr fs:[00000030h]5_2_0159E443
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158A470 mov eax, dword ptr fs:[00000030h]5_2_0158A470
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158A470 mov eax, dword ptr fs:[00000030h]5_2_0158A470
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158A470 mov eax, dword ptr fs:[00000030h]5_2_0158A470
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161A456 mov eax, dword ptr fs:[00000030h]5_2_0161A456
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EC460 mov ecx, dword ptr fs:[00000030h]5_2_015EC460
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01598402 mov eax, dword ptr fs:[00000030h]5_2_01598402
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01598402 mov eax, dword ptr fs:[00000030h]5_2_01598402
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01598402 mov eax, dword ptr fs:[00000030h]5_2_01598402
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A430 mov eax, dword ptr fs:[00000030h]5_2_0159A430
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155C427 mov eax, dword ptr fs:[00000030h]5_2_0155C427
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155E420 mov eax, dword ptr fs:[00000030h]5_2_0155E420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155E420 mov eax, dword ptr fs:[00000030h]5_2_0155E420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155E420 mov eax, dword ptr fs:[00000030h]5_2_0155E420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6420 mov eax, dword ptr fs:[00000030h]5_2_015E6420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6420 mov eax, dword ptr fs:[00000030h]5_2_015E6420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6420 mov eax, dword ptr fs:[00000030h]5_2_015E6420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6420 mov eax, dword ptr fs:[00000030h]5_2_015E6420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6420 mov eax, dword ptr fs:[00000030h]5_2_015E6420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6420 mov eax, dword ptr fs:[00000030h]5_2_015E6420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E6420 mov eax, dword ptr fs:[00000030h]5_2_015E6420
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015604E5 mov ecx, dword ptr fs:[00000030h]5_2_015604E5
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015944B0 mov ecx, dword ptr fs:[00000030h]5_2_015944B0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EA4B0 mov eax, dword ptr fs:[00000030h]5_2_015EA4B0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0161A49A mov eax, dword ptr fs:[00000030h]5_2_0161A49A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015664AB mov eax, dword ptr fs:[00000030h]5_2_015664AB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EE75D mov eax, dword ptr fs:[00000030h]5_2_015EE75D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560750 mov eax, dword ptr fs:[00000030h]5_2_01560750
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2750 mov eax, dword ptr fs:[00000030h]5_2_015A2750
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2750 mov eax, dword ptr fs:[00000030h]5_2_015A2750
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E4755 mov eax, dword ptr fs:[00000030h]5_2_015E4755
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159674D mov esi, dword ptr fs:[00000030h]5_2_0159674D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159674D mov eax, dword ptr fs:[00000030h]5_2_0159674D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159674D mov eax, dword ptr fs:[00000030h]5_2_0159674D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01568770 mov eax, dword ptr fs:[00000030h]5_2_01568770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570770 mov eax, dword ptr fs:[00000030h]5_2_01570770
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560710 mov eax, dword ptr fs:[00000030h]5_2_01560710
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01590710 mov eax, dword ptr fs:[00000030h]5_2_01590710
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C700 mov eax, dword ptr fs:[00000030h]5_2_0159C700
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159273C mov eax, dword ptr fs:[00000030h]5_2_0159273C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159273C mov ecx, dword ptr fs:[00000030h]5_2_0159273C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159273C mov eax, dword ptr fs:[00000030h]5_2_0159273C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DC730 mov eax, dword ptr fs:[00000030h]5_2_015DC730
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C720 mov eax, dword ptr fs:[00000030h]5_2_0159C720
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C720 mov eax, dword ptr fs:[00000030h]5_2_0159C720
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156C7C0 mov eax, dword ptr fs:[00000030h]5_2_0156C7C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E07C3 mov eax, dword ptr fs:[00000030h]5_2_015E07C3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015647FB mov eax, dword ptr fs:[00000030h]5_2_015647FB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015647FB mov eax, dword ptr fs:[00000030h]5_2_015647FB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015827ED mov eax, dword ptr fs:[00000030h]5_2_015827ED
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015827ED mov eax, dword ptr fs:[00000030h]5_2_015827ED
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015827ED mov eax, dword ptr fs:[00000030h]5_2_015827ED
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EE7E1 mov eax, dword ptr fs:[00000030h]5_2_015EE7E1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016147A0 mov eax, dword ptr fs:[00000030h]5_2_016147A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160678E mov eax, dword ptr fs:[00000030h]5_2_0160678E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015607AF mov eax, dword ptr fs:[00000030h]5_2_015607AF
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162866E mov eax, dword ptr fs:[00000030h]5_2_0162866E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162866E mov eax, dword ptr fs:[00000030h]5_2_0162866E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157C640 mov eax, dword ptr fs:[00000030h]5_2_0157C640
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01592674 mov eax, dword ptr fs:[00000030h]5_2_01592674
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A660 mov eax, dword ptr fs:[00000030h]5_2_0159A660
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A660 mov eax, dword ptr fs:[00000030h]5_2_0159A660
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A2619 mov eax, dword ptr fs:[00000030h]5_2_015A2619
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE609 mov eax, dword ptr fs:[00000030h]5_2_015DE609
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157260B mov eax, dword ptr fs:[00000030h]5_2_0157260B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157260B mov eax, dword ptr fs:[00000030h]5_2_0157260B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157260B mov eax, dword ptr fs:[00000030h]5_2_0157260B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157260B mov eax, dword ptr fs:[00000030h]5_2_0157260B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157260B mov eax, dword ptr fs:[00000030h]5_2_0157260B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157260B mov eax, dword ptr fs:[00000030h]5_2_0157260B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157260B mov eax, dword ptr fs:[00000030h]5_2_0157260B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0157E627 mov eax, dword ptr fs:[00000030h]5_2_0157E627
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01596620 mov eax, dword ptr fs:[00000030h]5_2_01596620
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01598620 mov eax, dword ptr fs:[00000030h]5_2_01598620
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156262C mov eax, dword ptr fs:[00000030h]5_2_0156262C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0159A6C7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A6C7 mov eax, dword ptr fs:[00000030h]5_2_0159A6C7
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E06F1 mov eax, dword ptr fs:[00000030h]5_2_015E06F1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E06F1 mov eax, dword ptr fs:[00000030h]5_2_015E06F1
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE6F2 mov eax, dword ptr fs:[00000030h]5_2_015DE6F2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE6F2 mov eax, dword ptr fs:[00000030h]5_2_015DE6F2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE6F2 mov eax, dword ptr fs:[00000030h]5_2_015DE6F2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE6F2 mov eax, dword ptr fs:[00000030h]5_2_015DE6F2
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01564690 mov eax, dword ptr fs:[00000030h]5_2_01564690
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01564690 mov eax, dword ptr fs:[00000030h]5_2_01564690
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015966B0 mov eax, dword ptr fs:[00000030h]5_2_015966B0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C6A6 mov eax, dword ptr fs:[00000030h]5_2_0159C6A6
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E0946 mov eax, dword ptr fs:[00000030h]5_2_015E0946
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01604978 mov eax, dword ptr fs:[00000030h]5_2_01604978
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01604978 mov eax, dword ptr fs:[00000030h]5_2_01604978
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EC97C mov eax, dword ptr fs:[00000030h]5_2_015EC97C
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634940 mov eax, dword ptr fs:[00000030h]5_2_01634940
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A096E mov eax, dword ptr fs:[00000030h]5_2_015A096E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A096E mov edx, dword ptr fs:[00000030h]5_2_015A096E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015A096E mov eax, dword ptr fs:[00000030h]5_2_015A096E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01586962 mov eax, dword ptr fs:[00000030h]5_2_01586962
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01586962 mov eax, dword ptr fs:[00000030h]5_2_01586962
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01586962 mov eax, dword ptr fs:[00000030h]5_2_01586962
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EC912 mov eax, dword ptr fs:[00000030h]5_2_015EC912
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01558918 mov eax, dword ptr fs:[00000030h]5_2_01558918
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01558918 mov eax, dword ptr fs:[00000030h]5_2_01558918
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE908 mov eax, dword ptr fs:[00000030h]5_2_015DE908
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DE908 mov eax, dword ptr fs:[00000030h]5_2_015DE908
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E892A mov eax, dword ptr fs:[00000030h]5_2_015E892A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F892B mov eax, dword ptr fs:[00000030h]5_2_015F892B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A9D0 mov eax, dword ptr fs:[00000030h]5_2_0156A9D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A9D0 mov eax, dword ptr fs:[00000030h]5_2_0156A9D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A9D0 mov eax, dword ptr fs:[00000030h]5_2_0156A9D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A9D0 mov eax, dword ptr fs:[00000030h]5_2_0156A9D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A9D0 mov eax, dword ptr fs:[00000030h]5_2_0156A9D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156A9D0 mov eax, dword ptr fs:[00000030h]5_2_0156A9D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015949D0 mov eax, dword ptr fs:[00000030h]5_2_015949D0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F69C0 mov eax, dword ptr fs:[00000030h]5_2_015F69C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015929F9 mov eax, dword ptr fs:[00000030h]5_2_015929F9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015929F9 mov eax, dword ptr fs:[00000030h]5_2_015929F9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162A9D3 mov eax, dword ptr fs:[00000030h]5_2_0162A9D3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EE9E0 mov eax, dword ptr fs:[00000030h]5_2_015EE9E0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E89B3 mov esi, dword ptr fs:[00000030h]5_2_015E89B3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E89B3 mov eax, dword ptr fs:[00000030h]5_2_015E89B3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015E89B3 mov eax, dword ptr fs:[00000030h]5_2_015E89B3
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015729A0 mov eax, dword ptr fs:[00000030h]5_2_015729A0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015609AD mov eax, dword ptr fs:[00000030h]5_2_015609AD
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015609AD mov eax, dword ptr fs:[00000030h]5_2_015609AD
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01590854 mov eax, dword ptr fs:[00000030h]5_2_01590854
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01564859 mov eax, dword ptr fs:[00000030h]5_2_01564859
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01564859 mov eax, dword ptr fs:[00000030h]5_2_01564859
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01572840 mov ecx, dword ptr fs:[00000030h]5_2_01572840
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EE872 mov eax, dword ptr fs:[00000030h]5_2_015EE872
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EE872 mov eax, dword ptr fs:[00000030h]5_2_015EE872
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F6870 mov eax, dword ptr fs:[00000030h]5_2_015F6870
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F6870 mov eax, dword ptr fs:[00000030h]5_2_015F6870
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EC810 mov eax, dword ptr fs:[00000030h]5_2_015EC810
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160483A mov eax, dword ptr fs:[00000030h]5_2_0160483A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160483A mov eax, dword ptr fs:[00000030h]5_2_0160483A
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159A830 mov eax, dword ptr fs:[00000030h]5_2_0159A830
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01582835 mov eax, dword ptr fs:[00000030h]5_2_01582835
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01582835 mov eax, dword ptr fs:[00000030h]5_2_01582835
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01582835 mov eax, dword ptr fs:[00000030h]5_2_01582835
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01582835 mov ecx, dword ptr fs:[00000030h]5_2_01582835
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01582835 mov eax, dword ptr fs:[00000030h]5_2_01582835
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01582835 mov eax, dword ptr fs:[00000030h]5_2_01582835
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162A8E4 mov eax, dword ptr fs:[00000030h]5_2_0162A8E4
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158E8C0 mov eax, dword ptr fs:[00000030h]5_2_0158E8C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C8F9 mov eax, dword ptr fs:[00000030h]5_2_0159C8F9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159C8F9 mov eax, dword ptr fs:[00000030h]5_2_0159C8F9
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_016308C0 mov eax, dword ptr fs:[00000030h]5_2_016308C0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015EC89D mov eax, dword ptr fs:[00000030h]5_2_015EC89D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560887 mov eax, dword ptr fs:[00000030h]5_2_01560887
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01558B50 mov eax, dword ptr fs:[00000030h]5_2_01558B50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F6B40 mov eax, dword ptr fs:[00000030h]5_2_015F6B40
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015F6B40 mov eax, dword ptr fs:[00000030h]5_2_015F6B40
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0162AB40 mov eax, dword ptr fs:[00000030h]5_2_0162AB40
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01608B42 mov eax, dword ptr fs:[00000030h]5_2_01608B42
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01614B4B mov eax, dword ptr fs:[00000030h]5_2_01614B4B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01614B4B mov eax, dword ptr fs:[00000030h]5_2_01614B4B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0155CB7E mov eax, dword ptr fs:[00000030h]5_2_0155CB7E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160EB50 mov eax, dword ptr fs:[00000030h]5_2_0160EB50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01632B57 mov eax, dword ptr fs:[00000030h]5_2_01632B57
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01632B57 mov eax, dword ptr fs:[00000030h]5_2_01632B57
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01632B57 mov eax, dword ptr fs:[00000030h]5_2_01632B57
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01632B57 mov eax, dword ptr fs:[00000030h]5_2_01632B57
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DEB1D mov eax, dword ptr fs:[00000030h]5_2_015DEB1D
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01628B28 mov eax, dword ptr fs:[00000030h]5_2_01628B28
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01628B28 mov eax, dword ptr fs:[00000030h]5_2_01628B28
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01634B00 mov eax, dword ptr fs:[00000030h]5_2_01634B00
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158EB20 mov eax, dword ptr fs:[00000030h]5_2_0158EB20
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158EB20 mov eax, dword ptr fs:[00000030h]5_2_0158EB20
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01580BCB mov eax, dword ptr fs:[00000030h]5_2_01580BCB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01580BCB mov eax, dword ptr fs:[00000030h]5_2_01580BCB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01580BCB mov eax, dword ptr fs:[00000030h]5_2_01580BCB
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560BCD mov eax, dword ptr fs:[00000030h]5_2_01560BCD
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560BCD mov eax, dword ptr fs:[00000030h]5_2_01560BCD
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560BCD mov eax, dword ptr fs:[00000030h]5_2_01560BCD
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158EBFC mov eax, dword ptr fs:[00000030h]5_2_0158EBFC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01568BF0 mov eax, dword ptr fs:[00000030h]5_2_01568BF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01568BF0 mov eax, dword ptr fs:[00000030h]5_2_01568BF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01568BF0 mov eax, dword ptr fs:[00000030h]5_2_01568BF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015ECBF0 mov eax, dword ptr fs:[00000030h]5_2_015ECBF0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160EBD0 mov eax, dword ptr fs:[00000030h]5_2_0160EBD0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01614BB0 mov eax, dword ptr fs:[00000030h]5_2_01614BB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01614BB0 mov eax, dword ptr fs:[00000030h]5_2_01614BB0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570BBE mov eax, dword ptr fs:[00000030h]5_2_01570BBE
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570BBE mov eax, dword ptr fs:[00000030h]5_2_01570BBE
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0160EA60 mov eax, dword ptr fs:[00000030h]5_2_0160EA60
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566A50 mov eax, dword ptr fs:[00000030h]5_2_01566A50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566A50 mov eax, dword ptr fs:[00000030h]5_2_01566A50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566A50 mov eax, dword ptr fs:[00000030h]5_2_01566A50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566A50 mov eax, dword ptr fs:[00000030h]5_2_01566A50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566A50 mov eax, dword ptr fs:[00000030h]5_2_01566A50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566A50 mov eax, dword ptr fs:[00000030h]5_2_01566A50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01566A50 mov eax, dword ptr fs:[00000030h]5_2_01566A50
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570A5B mov eax, dword ptr fs:[00000030h]5_2_01570A5B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01570A5B mov eax, dword ptr fs:[00000030h]5_2_01570A5B
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DCA72 mov eax, dword ptr fs:[00000030h]5_2_015DCA72
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015DCA72 mov eax, dword ptr fs:[00000030h]5_2_015DCA72
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159CA6F mov eax, dword ptr fs:[00000030h]5_2_0159CA6F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159CA6F mov eax, dword ptr fs:[00000030h]5_2_0159CA6F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159CA6F mov eax, dword ptr fs:[00000030h]5_2_0159CA6F
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015ECA11 mov eax, dword ptr fs:[00000030h]5_2_015ECA11
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159CA38 mov eax, dword ptr fs:[00000030h]5_2_0159CA38
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01584A35 mov eax, dword ptr fs:[00000030h]5_2_01584A35
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01584A35 mov eax, dword ptr fs:[00000030h]5_2_01584A35
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0158EA2E mov eax, dword ptr fs:[00000030h]5_2_0158EA2E
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159CA24 mov eax, dword ptr fs:[00000030h]5_2_0159CA24
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01560AD0 mov eax, dword ptr fs:[00000030h]5_2_01560AD0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01594AD0 mov eax, dword ptr fs:[00000030h]5_2_01594AD0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01594AD0 mov eax, dword ptr fs:[00000030h]5_2_01594AD0
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015B6ACC mov eax, dword ptr fs:[00000030h]5_2_015B6ACC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015B6ACC mov eax, dword ptr fs:[00000030h]5_2_015B6ACC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_015B6ACC mov eax, dword ptr fs:[00000030h]5_2_015B6ACC
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159AAEE mov eax, dword ptr fs:[00000030h]5_2_0159AAEE
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0159AAEE mov eax, dword ptr fs:[00000030h]5_2_0159AAEE
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_01598A90 mov edx, dword ptr fs:[00000030h]5_2_01598A90
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156EA80 mov eax, dword ptr fs:[00000030h]5_2_0156EA80
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156EA80 mov eax, dword ptr fs:[00000030h]5_2_0156EA80
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156EA80 mov eax, dword ptr fs:[00000030h]5_2_0156EA80
          Source: C:\Users\user\Desktop\RFQ-1024.exeCode function: 5_2_0156EA80 mov eax, dword ptr fs:[00000030h]5_2_0156EA80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A633AA GetProcessHeap,HeapAlloc,memcpy,qsort,GetProcessHeap,HeapFree,8_2_00A633AA
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A696E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00A696E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A69930 SetUnhandledExceptionFilter,8_2_00A69930
          Source: C:\Users\user\Desktop\RFQ-1024.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe"
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe"Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\RFQ-1024.exeNtClose: Indirect: 0x14AA56C
          Source: C:\Users\user\Desktop\RFQ-1024.exeNtQueueApcThread: Indirect: 0x14AA4F2Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\RFQ-1024.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 4004Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\RFQ-1024.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\RFQ-1024.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: A60000Jump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeProcess created: C:\Users\user\Desktop\RFQ-1024.exe "C:\Users\user\Desktop\RFQ-1024.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ-1024.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000002.4565420260.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2144034911.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
          Source: explorer.exe, 00000006.00000000.2145627107.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4565420260.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2144034911.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.4565420260.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2144034911.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.4564904557.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2133976960.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
          Source: explorer.exe, 00000006.00000002.4565420260.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2144034911.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000002.4569132555.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2150393168.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979402480.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
          Source: C:\Users\user\Desktop\RFQ-1024.exeQueries volume information: C:\Users\user\Desktop\RFQ-1024.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ-1024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A69B55 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,8_2_00A69B55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_00A692E8 memset,GetVersionExW,8_2_00A692E8
          Source: C:\Users\user\Desktop\RFQ-1024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ-1024.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Windows Management Instrumentation          		1
          DLL Side-Loading          		412
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism          		21
          Disable or Modify Tools          		LSASS Memory241
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		51
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
          Process Injection          		NTDS51
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSync234
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Timestomp          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520586 Sample: RFQ-1024.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 36 www.venir-bienne.info 2->36 38 www.sx9u.shop 2->38 40 9 other IPs or domains 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 11 RFQ-1024.exe 4 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\RFQ-1024.exe.log, ASCII 11->34 dropped 60 Adds a directory exclusion to Windows Defender 11->60 62 Tries to detect virtualization through RDTSC time measurements 11->62 64 Switches to a custom stack to bypass stack traces 11->64 15 RFQ-1024.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 74 2 other signatures 15->74 20 explorer.exe 71 7 15->20 injected 72 Loading BitLocker PowerShell Module 18->72 23 WmiPrvSE.exe 18->23         started        25 conhost.exe 18->25         started        process9 signatures10 50 Uses netsh to modify the Windows network and firewall settings 20->50 27 netsh.exe 20->27         started        process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 27->52 54 Maps a DLL or memory area into another process 27->54 56 Tries to detect virtualization through RDTSC time measurements 27->56 58 Switches to a custom stack to bypass stack traces 27->58 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RFQ-1024.exe61%ReversingLabsByteCode-MSIL.Trojan.MassLogger
          RFQ-1024.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.472.top
          		unknown
          		unknowntrue
            		unknown
            www.024tengxun396.buzz
            		unknown
            		unknowntrue
              		unknown
              www.ourhealthyourlife.shop
              		unknown
              		unknowntrue
                		unknown
                www.23fd595ig.autos
                		unknown
                		unknowntrue
                  		unknown
                  www.458881233.men
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ilw.legal
                    		unknown
                    		unknowntrue
                      		unknown
                      www.ridges-freezers-56090.bond
                      		unknown
                      		unknowntrue
                        		unknown
                        www.sx9u.shop
                        		unknown
                        		unknowntrue
                          		unknown
                          www.venir-bienne.info
                          		unknown
                          		unknowntrue
                            		unknown
                            www.nline-courses-classes-lv-1.bond
                            		unknown
                            		unknowntrue
                              		unknown
                              www.aketrtpmvpslot88.info
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.ridges-freezers-56090.bond/c24t/true
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.rvinsadeli.devReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.sx9u.shop/c24t/www.024tengxun396.buzzexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.rvinsadeli.devexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.aketrtpmvpslot88.info/c24t/www.venir-bienne.infoexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.ridges-freezers-56090.bondReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.02s-pest-control-us-ze.funexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.024tengxun396.buzz/c24t/www.458881233.menexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2149982749.000000000973C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.rvinsadeli.dev/c24t/www.yrhbt.shopexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://word.office.comMexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.024tengxun396.buzz/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.sx9u.shopReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.yrhbt.shop/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.472.topexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.472.top/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.aketrtpmvpslot88.infoReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.23fd595ig.autos/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.02s-pest-control-us-ze.funReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://www.ourhealthyourlife.shop/c24t/www.consuyt.xyzexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://wns.windows.com/eexplorer.exe, 00000006.00000003.2979402480.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2150393168.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ-1024.exe, 00000000.00000002.2150291866.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.yrhbt.shopexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.nline-courses-classes-lv-1.bond/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.ilw.legal/c24t/www.472.topexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.venir-bienne.info/c24t/www.rvinsadeli.devexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.yrhbt.shopReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.venir-bienne.info/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.458881233.men/c24t/www.ourhealthyourlife.shopexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.472.top/c24t/www.ridges-freezers-56090.bondexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.02s-pest-control-us-ze.fun/c24t/www.loud-computing-intl-3455364.fyiexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.ilw.legal/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.consuyt.xyz/c24t/www.nline-courses-classes-lv-1.bondexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.consuyt.xyz/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.ridges-freezers-56090.bond/c24t/www.23fd595ig.autosexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.aketrtpmvpslot88.infoexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.23fd595ig.autos/c24t/www.aketrtpmvpslot88.infoexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000000.2156445462.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://outlook.comeexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000006.00000003.2979402480.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2150393168.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.ridges-freezers-56090.bond/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.024tengxun396.buzzReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.yrhbt.shop/c24t/www.02s-pest-control-us-ze.funexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.aketrtpmvpslot88.info/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.23fd595ig.autosexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.nline-courses-classes-lv-1.bond/c24t/www.ilw.legalexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://api.msn.com/Iexplorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.sx9u.shopexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.ilw.legalexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.ilw.legalReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.ourhealthyourlife.shopexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.ridges-freezers-56090.bondexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.microexplorer.exe, 00000006.00000002.4568175553.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4565608048.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4568156857.0000000007B50000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.loud-computing-intl-3455364.fyiexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.024tengxun396.buzzexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.458881233.men/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.ourhealthyourlife.shopReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.rvinsadeli.dev/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.nline-courses-classes-lv-1.bondReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.nline-courses-classes-lv-1.bondexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.458881233.menReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.venir-bienne.infoexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.458881233.menexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.02s-pest-control-us-ze.fun/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.23fd595ig.autosReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://excel.office.com-explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://www.472.topReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://www.sx9u.shop/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0RFQ-1024.exefalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://www.loud-computing-intl-3455364.fyi/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://powerpoint.office.comEMdexplorer.exe, 00000006.00000002.4572480568.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2156445462.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://www.venir-bienne.infoReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://www.loud-computing-intl-3455364.fyiReferer:explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            https://api.msn.com/explorer.exe, 00000006.00000000.2149982749.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4569132555.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://www.consuyt.xyzexplorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://www.ourhealthyourlife.shop/c24t/explorer.exe, 00000006.00000002.4572480568.000000000C087000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://www.msn.com:443/en-us/feedexplorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-explorer.exe, 00000006.00000000.2146243663.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4567281591.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown

                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                    No contacted IP infos

                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                    Analysis ID:1520586
                                                                                                                                                                                                                    Start date and time:2024-09-27 16:04:40 +02:00
                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                    Overall analysis duration:0h 10m 43s
                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                    Number of analysed new started processes analysed:14
                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                    Number of injected processes analysed:1
                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                    Sample name:RFQ-1024.exe
                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                    Classification:mal100.troj.evad.winEXE@12/6@11/0
                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    • Number of executed functions: 103
                                                                                                                                                                                                                    • Number of non-executed functions: 354
                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.85.23.206, 52.165.164.15
                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                    • VT rate limit hit for: RFQ-1024.exe

                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                    10:05:30API Interceptor1x Sleep call for process: RFQ-1024.exe modified
                                                                                                                                                                                                                    10:05:33API Interceptor11x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                    10:05:35API Interceptor9162469x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                    10:06:16API Interceptor7981661x Sleep call for process: netsh.exe modified

                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ-1024.exe.log

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\RFQ-1024.exe
                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2232
                                                                                                                                                                                                                    Entropy (8bit):5.379401388151058
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
                                                                                                                                                                                                                    MD5:AF15464AFD6EB7D301162A1DC8E01662
                                                                                                                                                                                                                    SHA1:A974B8FEC71BF837B8E72FE43AB43E447FC43A86
                                                                                                                                                                                                                    SHA-256:103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
                                                                                                                                                                                                                    SHA-512:7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tihkhxm.250.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adz5nwtc.fvh.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4kazcal.p1k.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzv4q0z5.ktp.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                    Entropy (8bit):7.843938369878012
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                    File name:RFQ-1024.exe
                                                                                                                                                                                                                    File size:602'632 bytes
                                                                                                                                                                                                                    MD5:3429170427053d7d39dc81b889d0097e
                                                                                                                                                                                                                    SHA1:8631c8767beda82b2b14f2de215d745e512f3ea2
                                                                                                                                                                                                                    SHA256:6dc1bba66cba9a4ee7a5156375e1935bd30c6b1022bea4082fb3714ce5c73e07
                                                                                                                                                                                                                    SHA512:8c73ee16f331104895c338476146053b488a7695bcefbf9dea44385ba671ed31be065a03c30ae79a8118e02668f6a0fcaae5bf06d476c92156f0c4c6a4af2d6b
                                                                                                                                                                                                                    SSDEEP:12288:pBtLYydPGLVH+xV4QL/ywRMufCXgnWusDYdhjB5gjYsSOBddtTJzkR:pBRFtGJ+xVbLvRM3XOWusDeNOjYs0
                                                                                                                                                                                                                    TLSH:43D41248261AC723D5A39FF44451C27587B26FCD7A02C2636FEABDEFBC8A7400940796
                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m................0.................. ... ....@.. .......................`............@................................

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Entrypoint:0x4910ba
                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                    Time Stamp:0xD69A6D8B [Thu Feb 3 19:33:31 2084 UTC]
                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                                                                    Signature Valid:false
                                                                                                                                                                                                                    Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                                                                    • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                                                                                                                                                                                    Subject Chain
                                                                                                                                                                                                                    • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                                                                                                                                    Version:3
                                                                                                                                                                                                                    Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                                                                                                                                    Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                                                                                                                                    Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                                                                                                                                    Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x910680x4f.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x5dc.rsrc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x8fc000x3608
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x8fa040x70.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                    .text0x20000x8f0c00x8f200ae40ec647a2f1f0a395ba51024b154beFalse0.9308184361353712data7.850178161565513IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .rsrc0x920000x5dc0x600cdfcb82f0f7b23c6a5d7c81aeb5c551cFalse0.4381510416666667data4.189751656043032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .reloc0x940000xc0x20052cae7ea528221410640c8a6ef3aa73dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                    RT_VERSION0x920900x34cdata0.43838862559241704
                                                                                                                                                                                                                    RT_MANIFEST0x923ec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Sep 27, 2024 16:06:10.394252062 CEST6538053192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:06:10.404113054 CEST53653801.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:06:30.159291029 CEST5306953192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:06:30.169507027 CEST53530691.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:06:49.784142971 CEST4979353192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:06:49.794028997 CEST53497931.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:07:10.174820900 CEST6192353192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:07:10.184134960 CEST53619231.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:07:51.331355095 CEST6520053192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:07:51.342103958 CEST53652001.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:08:11.864052057 CEST6244153192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:08:11.874073029 CEST53624411.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:08:32.791913033 CEST5223453192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:08:33.128247976 CEST53522341.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:08:53.487776995 CEST4982153192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:08:53.498250961 CEST53498211.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:09:13.925281048 CEST5533653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:09:13.935791969 CEST53553361.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:09:34.426670074 CEST5664453192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:09:34.441766024 CEST53566441.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 16:09:56.284679890 CEST4923453192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 16:09:56.302088022 CEST53492341.1.1.1192.168.2.6

                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Sep 27, 2024 16:06:10.394252062 CEST192.168.2.61.1.1.10xa4cdStandard query (0)www.sx9u.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:06:30.159291029 CEST192.168.2.61.1.1.10xfc19Standard query (0)www.024tengxun396.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:06:49.784142971 CEST192.168.2.61.1.1.10x7f78Standard query (0)www.458881233.menA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:07:10.174820900 CEST192.168.2.61.1.1.10xb463Standard query (0)www.ourhealthyourlife.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:07:51.331355095 CEST192.168.2.61.1.1.10x8929Standard query (0)www.nline-courses-classes-lv-1.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:08:11.864052057 CEST192.168.2.61.1.1.10x561eStandard query (0)www.ilw.legalA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:08:32.791913033 CEST192.168.2.61.1.1.10xb32dStandard query (0)www.472.topA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:08:53.487776995 CEST192.168.2.61.1.1.10x5f2fStandard query (0)www.ridges-freezers-56090.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:09:13.925281048 CEST192.168.2.61.1.1.10x8b05Standard query (0)www.23fd595ig.autosA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:09:34.426670074 CEST192.168.2.61.1.1.10x812Standard query (0)www.aketrtpmvpslot88.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:09:56.284679890 CEST192.168.2.61.1.1.10xb91dStandard query (0)www.venir-bienne.infoA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Sep 27, 2024 16:06:10.404113054 CEST1.1.1.1192.168.2.60xa4cdName error (3)www.sx9u.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:06:30.169507027 CEST1.1.1.1192.168.2.60xfc19Name error (3)www.024tengxun396.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:06:49.794028997 CEST1.1.1.1192.168.2.60x7f78Name error (3)www.458881233.mennonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:07:10.184134960 CEST1.1.1.1192.168.2.60xb463Name error (3)www.ourhealthyourlife.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:07:51.342103958 CEST1.1.1.1192.168.2.60x8929Name error (3)www.nline-courses-classes-lv-1.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:08:11.874073029 CEST1.1.1.1192.168.2.60x561eName error (3)www.ilw.legalnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:08:33.128247976 CEST1.1.1.1192.168.2.60xb32dName error (3)www.472.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:08:53.498250961 CEST1.1.1.1192.168.2.60x5f2fName error (3)www.ridges-freezers-56090.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:09:13.935791969 CEST1.1.1.1192.168.2.60x8b05Name error (3)www.23fd595ig.autosnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:09:34.441766024 CEST1.1.1.1192.168.2.60x812Name error (3)www.aketrtpmvpslot88.infononenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 16:09:56.302088022 CEST1.1.1.1192.168.2.60xb91dName error (3)www.venir-bienne.infononenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                    Start time:10:05:30
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\RFQ-1024.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\RFQ-1024.exe"
                                                                                                                                                                                                                    Imagebase:0xa40000
                                                                                                                                                                                                                    File size:602'632 bytes
                                                                                                                                                                                                                    MD5 hash:3429170427053D7D39DC81B889D0097E
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2150735906.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                    Start time:10:05:31
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-1024.exe"
                                                                                                                                                                                                                    Imagebase:0x80000
                                                                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                    Start time:10:05:31
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                    Start time:10:05:31
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\RFQ-1024.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\RFQ-1024.exe"
                                                                                                                                                                                                                    Imagebase:0xae0000
                                                                                                                                                                                                                    File size:602'632 bytes
                                                                                                                                                                                                                    MD5 hash:3429170427053D7D39DC81B889D0097E
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                                                    Start time:10:05:31
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                    Imagebase:0x7ff609140000
                                                                                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                                    Start time:10:05:33
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                    Imagebase:0x7ff717f30000
                                                                                                                                                                                                                    File size:496'640 bytes
                                                                                                                                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                                    Start time:10:05:35
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\netsh.exe"
                                                                                                                                                                                                                    Imagebase:0xa60000
                                                                                                                                                                                                                    File size:82'432 bytes
                                                                                                                                                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4564962370.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4565141271.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                                                    Start time:10:05:39
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:/c del "C:\Users\user\Desktop\RFQ-1024.exe"
                                                                                                                                                                                                                    Imagebase:0x1c0000
                                                                                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:10
                                                                                                                                                                                                                    Start time:10:05:39
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:8.4%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:45
                                                                                                                                                                                                                      Total number of Limit Nodes:9
                                                                                                                                                                                                                      execution_graph 19365 1484668 19366 148467a 19365->19366 19367 1484686 19366->19367 19369 1484779 19366->19369 19370 148479d 19369->19370 19374 1484888 19370->19374 19378 1484879 19370->19378 19375 14848af 19374->19375 19376 148498c 19375->19376 19382 14844b4 19375->19382 19376->19376 19379 14848af 19378->19379 19380 148498c 19379->19380 19381 14844b4 CreateActCtxA 19379->19381 19380->19380 19381->19380 19383 1485918 CreateActCtxA 19382->19383 19385 14859db 19383->19385 19386 148d588 DuplicateHandle 19387 148d61e 19386->19387 19388 76b1ce8 19389 76b1e73 19388->19389 19390 76b1d0e 19388->19390 19390->19389 19393 76b2370 PostMessageW 19390->19393 19395 76b236a PostMessageW 19390->19395 19394 76b23dc 19393->19394 19394->19390 19396 76b23dc 19395->19396 19396->19390 19397 148d340 19398 148d386 GetCurrentProcess 19397->19398 19400 148d3d8 GetCurrentThread 19398->19400 19401 148d3d1 19398->19401 19402 148d40e 19400->19402 19403 148d415 GetCurrentProcess 19400->19403 19401->19400 19402->19403 19406 148d44b 19403->19406 19404 148d473 GetCurrentThreadId 19405 148d4a4 19404->19405 19406->19404 19407 148afb0 19408 148afbf 19407->19408 19411 148b0a8 19407->19411 19416 148b097 19407->19416 19412 148b0dc 19411->19412 19413 148b0b9 19411->19413 19412->19408 19413->19412 19414 148b2e0 GetModuleHandleW 19413->19414 19415 148b30d 19414->19415 19415->19408 19417 148b0dc 19416->19417 19418 148b0b9 19416->19418 19417->19408 19418->19417 19419 148b2e0 GetModuleHandleW 19418->19419 19420 148b30d 19419->19420 19420->19408

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 076B1255 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2155059690.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_76b0000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 068d1f3b862f016e7bcdf2a5075f5689b757390b0d587d3ed21a591780badf37
                                                                                                                                                                                                                      • Instruction ID: f6b2b29b15ccd38e49f3c43a9be6ef697111d2a87990365559eec825788f1655
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 068d1f3b862f016e7bcdf2a5075f5689b757390b0d587d3ed21a591780badf37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96B01241DBF184D9C311297010110F0DDFC050F000F153085400773003C508C4CB474F
                                                                                                                                                                                                                      Function 0148D331 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0148D3BE
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 0148D3FB
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0148D438
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0148D491
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: 4f245ae62b97451f60cd6e11c0a6f4d565a0978c24e39233dafe267e20426886
                                                                                                                                                                                                                      • Instruction ID: e824766b62d79d0f0a7395f368ea8623a13e426778ace2fb57c84dd772404f03
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f245ae62b97451f60cd6e11c0a6f4d565a0978c24e39233dafe267e20426886
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 885146B0D013098FDB14DFA9D548BDEBFF1AF88314F20845AE519A73A0DB746944CB65
                                                                                                                                                                                                                      Function 0148D340 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0148D3BE
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 0148D3FB
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0148D438
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0148D491
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: 94b000151cd87ae7148224c8d4f21482a861811891375bfd24a18d7fb349b09b
                                                                                                                                                                                                                      • Instruction ID: b345dccbb8529fd1b5381c49db7503f2bd93852117023b5440dfc7e3fdc3bf04
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94b000151cd87ae7148224c8d4f21482a861811891375bfd24a18d7fb349b09b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 575155B0D013098FDB14DFAAD548BDEBFF1AF88314F208419E119A73A0DB746944CB65
                                                                                                                                                                                                                      Function 0148B0A8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 44 148b0a8-148b0b7 45 148b0b9-148b0c6 call 1489b14 44->45 46 148b0e3-148b0e7 44->46 51 148b0c8 45->51 52 148b0dc 45->52 48 148b0e9-148b0f3 46->48 49 148b0fb-148b13c 46->49 48->49 55 148b149-148b157 49->55 56 148b13e-148b146 49->56 99 148b0ce call 148b340 51->99 100 148b0ce call 148b331 51->100 52->46 57 148b159-148b15e 55->57 58 148b17b-148b17d 55->58 56->55 61 148b169 57->61 62 148b160-148b167 call 148ad10 57->62 60 148b180-148b187 58->60 59 148b0d4-148b0d6 59->52 63 148b218-148b2d8 59->63 65 148b189-148b191 60->65 66 148b194-148b19b 60->66 67 148b16b-148b179 61->67 62->67 94 148b2da-148b2dd 63->94 95 148b2e0-148b30b GetModuleHandleW 63->95 65->66 70 148b1a8-148b1b1 call 148ad20 66->70 71 148b19d-148b1a5 66->71 67->60 75 148b1be-148b1c3 70->75 76 148b1b3-148b1bb 70->76 71->70 78 148b1e1-148b1ee 75->78 79 148b1c5-148b1cc 75->79 76->75 85 148b1f0-148b20e 78->85 86 148b211-148b217 78->86 79->78 80 148b1ce-148b1de call 148ad30 call 148ad40 79->80 80->78 85->86 94->95 96 148b30d-148b313 95->96 97 148b314-148b328 95->97 96->97 99->59 100->59
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0148B2FE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: 185074379b52083bc28b89e453a3f3336e1e276db3fcb71039e7a59e7e1901fd
                                                                                                                                                                                                                      • Instruction ID: 7799eeef016bbe658a2262cc12c2c58711eeead53282c4273bfebba76e837e58
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 185074379b52083bc28b89e453a3f3336e1e276db3fcb71039e7a59e7e1901fd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C710370A00B058FD724EF6AD44575BBBF1FB88240F10892ED54ADBB60DB75E846CB90
                                                                                                                                                                                                                      Function 0148590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 101 148590c-1485913 102 1485918-14859d9 CreateActCtxA 101->102 104 14859db-14859e1 102->104 105 14859e2-1485a3c 102->105 104->105 112 1485a4b-1485a4f 105->112 113 1485a3e-1485a41 105->113 114 1485a60 112->114 115 1485a51-1485a5d 112->115 113->112 117 1485a61 114->117 115->114 117->117
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 014859C9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: f0e1907d217ea5426c007a5cec42e0afb9c8c0904ad3f1526b9f11b48f7d8fb4
                                                                                                                                                                                                                      • Instruction ID: ded38194a89bb146ab247ea77712c3bbb7988d980de6169c3590a282717b9ef1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0e1907d217ea5426c007a5cec42e0afb9c8c0904ad3f1526b9f11b48f7d8fb4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4341C0B1C00719CBDB24DFA9C984B8EBBF5BF88714F20815AD408AB251DB756945CF90
                                                                                                                                                                                                                      Function 014844B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 118 14844b4-14859d9 CreateActCtxA 121 14859db-14859e1 118->121 122 14859e2-1485a3c 118->122 121->122 129 1485a4b-1485a4f 122->129 130 1485a3e-1485a41 122->130 131 1485a60 129->131 132 1485a51-1485a5d 129->132 130->129 134 1485a61 131->134 132->131 134->134
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 014859C9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: 5a9336feb0e160a81ee6961a3e396ec486225e46136da95ac55e1668f85137c7
                                                                                                                                                                                                                      • Instruction ID: 2f4a140abab2cfc714f5fb1621b5dd0c773e9f80c9ed2a4edbef1de7235ac9ce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5a9336feb0e160a81ee6961a3e396ec486225e46136da95ac55e1668f85137c7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9241E0B0C0071DCBDB24DFA9C98478EBBF5BF88704F20806AD408AB251DBB56945CF90
                                                                                                                                                                                                                      Function 0148D588 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 135 148d588-148d61c DuplicateHandle 136 148d61e-148d624 135->136 137 148d625-148d642 135->137 136->137
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D60F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: f49327b036d0b4710444a6619475cda2d0bb4c42c5f0a6a04514c00ad5ab99ae
                                                                                                                                                                                                                      • Instruction ID: 25ed838725524d120aadb7c8e734a8cd2a56adfba983068755aaa1505092a9aa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f49327b036d0b4710444a6619475cda2d0bb4c42c5f0a6a04514c00ad5ab99ae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F21C4B5D012499FDB10CF9AD984ADEBFF4FB48324F14841AE918A3350D378A954CFA5
                                                                                                                                                                                                                      Function 0148D580 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 140 148d580-148d61c DuplicateHandle 141 148d61e-148d624 140->141 142 148d625-148d642 140->142 141->142
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D60F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: df10efbf215477a8fa93b55976de29b7c459ee30c4bbb80238fecae2f2be6d56
                                                                                                                                                                                                                      • Instruction ID: 553b84630ced20770d1bc73a04ebd76537afa1936cc0ce60bec12ed4e1db766a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: df10efbf215477a8fa93b55976de29b7c459ee30c4bbb80238fecae2f2be6d56
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C21B0B5D01249DFDB10CFA9D984ADEBBF4EF48324F14841AE918A3350D378A954CFA5
                                                                                                                                                                                                                      Function 0148B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 145 148b298-148b2d8 146 148b2da-148b2dd 145->146 147 148b2e0-148b30b GetModuleHandleW 145->147 146->147 148 148b30d-148b313 147->148 149 148b314-148b328 147->149 148->149
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0148B2FE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: 340e698775b2982ad05e4cf891d1d3a33c30d57513811f45ca7c2aac36a5627a
                                                                                                                                                                                                                      • Instruction ID: e21986d1c4d7b115116f4652c75978734737e5a15227470b012ccfeae00f4bd3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 340e698775b2982ad05e4cf891d1d3a33c30d57513811f45ca7c2aac36a5627a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA11C0B5C006498FDB14DF9AC444A9EFBF4EB88224F10841AD919A7210D375A545CFA5
                                                                                                                                                                                                                      Function 076B236A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 151 76b236a-76b23da PostMessageW 152 76b23dc-76b23e2 151->152 153 76b23e3-76b23f7 151->153 152->153
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 076B23CD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2155059690.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_76b0000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                                                                      • Opcode ID: 33f7a0e3ac05d73e46744c571c24d647511437ad070795ddb1af2e6d9a059f6d
                                                                                                                                                                                                                      • Instruction ID: 4bba599595d76fa9387a9e3c48261e4cf7525d810df8b38adf2ba085eeb87474
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33f7a0e3ac05d73e46744c571c24d647511437ad070795ddb1af2e6d9a059f6d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C011F5B5800349DFDB20DF99D585BDEBBF4FB48320F20884AD519A7250C379A584CFA1
                                                                                                                                                                                                                      Function 076B2370 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 155 76b2370-76b23da PostMessageW 156 76b23dc-76b23e2 155->156 157 76b23e3-76b23f7 155->157 156->157
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 076B23CD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2155059690.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_76b0000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                                                                      • Opcode ID: d6a17e465f1bac1bd145f101b910cde41ceda0c0c6a283292557d1832209a779
                                                                                                                                                                                                                      • Instruction ID: 665108a899cca0b899990c4fc6bd6f5adf15b943cbad064fed1f50a549134e64
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6a17e465f1bac1bd145f101b910cde41ceda0c0c6a283292557d1832209a779
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7911D3B58003499FDB20DF9AD985BDEBBF8FB48720F20841AD559A7210C375A944CFA5
                                                                                                                                                                                                                      Function 0129D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149717985.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_129d000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a0faef6bb31040d8f47236e549612c6775921f8aef4b9dd4f701c06ff3947af5
                                                                                                                                                                                                                      • Instruction ID: 60b631d5e416e4d0311f63099a48e8dd7f59fedf9488959debd22ada476b5ab7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0faef6bb31040d8f47236e549612c6775921f8aef4b9dd4f701c06ff3947af5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5214572510248EFDF05DF58E9C0B26BF61FB88318F20C16DEA090B256C376D416DBA1
                                                                                                                                                                                                                      Function 0129D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149717985.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_129d000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7fa64cf451905535a459c9862b77b628291aeb6656d6d854619a464fa3151c6d
                                                                                                                                                                                                                      • Instruction ID: ad49d6d54b5f78fb20e2b9a0e010716e14251602b33c64c3f2395c18932b283e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7fa64cf451905535a459c9862b77b628291aeb6656d6d854619a464fa3151c6d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E9216A76110208DFDF05DF48D9C0B66BF65FB84324F20C16CDA090B256C376E456DBA1
                                                                                                                                                                                                                      Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149798532.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_12ad000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f89c70da30af7279075f277a9bc5f0551982b25819ee7ed5373b862ccdcb09ee
                                                                                                                                                                                                                      • Instruction ID: 8d57c01393bfec397404b6e1ec7ac1b1183a44a6724fc7d3014dbe37ae7e3498
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f89c70da30af7279075f277a9bc5f0551982b25819ee7ed5373b862ccdcb09ee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72214275254308EFCB14DF64D9C0B26BB61FB88314F60C56DDA0A0B652C37AD407CA61
                                                                                                                                                                                                                      Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149798532.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_12ad000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5b4841cd458815df293444075155460c708ae951c945690a39b7ec2d8ac4d436
                                                                                                                                                                                                                      • Instruction ID: 9210cb2181c9fc2125d7a1d1277a312b4a0ad0d72e28ea7888534b5e8489d71f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b4841cd458815df293444075155460c708ae951c945690a39b7ec2d8ac4d436
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E21B0754483849FCB02CF24D994711BF71EB46314F28C5DAD9498F6A7C33A980ACB62
                                                                                                                                                                                                                      Function 0129D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149717985.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_129d000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction ID: 5142ebef8155f32a18b374e72bf1ebbb8f0361c778458192503fd5d8a7409675
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D11DF76404284CFCF12CF58D5C0B16BF71FB84318F24C6A9D9090B256C33AD45ADBA1
                                                                                                                                                                                                                      Function 0129D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149717985.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_129d000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction ID: 7fabe5c7d2d02682ebab174f6e65d37c06786de095102af3a9298e94f79314a4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6011CDB6404284CFCF02CF48D5C0B56BF71FB84224F2482A9D9090B256C33AE456DBA1
                                                                                                                                                                                                                      Function 0129D731 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149717985.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_129d000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 205a5b4d32b591bab66e480ca8a0b0815823c509cbd919d2d829b21d4b6c3cd6
                                                                                                                                                                                                                      • Instruction ID: 0e9a9ce9cd98bcdbdaeb5d6cde209ad690bf2114e0742f8ca7b63993fcf92d95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 205a5b4d32b591bab66e480ca8a0b0815823c509cbd919d2d829b21d4b6c3cd6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3801DB715143899AFB184EADCDC47EAFFD8DF45364F18C41AEE094A193C6B89840D771
                                                                                                                                                                                                                      Function 0129D730 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149717985.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_129d000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6c06c1e4860adeeb10305123cf0f979d8e48affc0c3926d8d8a2530255ac923c
                                                                                                                                                                                                                      • Instruction ID: fbadae3a74ff19b20473ccb14c43ae87fb2afb2a8d14d748cd266b6e8832aa08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c06c1e4860adeeb10305123cf0f979d8e48affc0c3926d8d8a2530255ac923c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11F062724053889EEB158A19DDC4BA6FFD8EB85774F18C55AEE084A283C2799844CB71

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 076B3B08 Relevance: .4, Instructions: 353COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2155059690.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_76b0000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 647aa07f450cbed767f0e23eecaa7d698c9ad9bfbe24726c29b98aeedc2965bc
                                                                                                                                                                                                                      • Instruction ID: 3bdfba9dfc00dac314dd9f460e68c0011c979fb1fd4ae7e49d1bb0d62dc6e961
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 647aa07f450cbed767f0e23eecaa7d698c9ad9bfbe24726c29b98aeedc2965bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90D1BEB17003018FDB25EB76C4507AEB7E6EF8A704F64446ED14A9B3A0CB75E982CB51
                                                                                                                                                                                                                      Function 0148DE4C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2150092575.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1480000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d840953d189abcf168b4f0704e08725bbe1d3d2aa3e84085eb1b1c775d6dafe9
                                                                                                                                                                                                                      • Instruction ID: d76d0c4cb25b0584efb0075148ac4cdde1a6c055b9bfc89dc4bffce0aa6eb5ba
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d840953d189abcf168b4f0704e08725bbe1d3d2aa3e84085eb1b1c775d6dafe9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4A18232E106058FCF05EFB9C5805AEBBB2FF94310B15456AE905BB3A5DB71E905CB50

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.3%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                                                      Signature Coverage:6.2%
                                                                                                                                                                                                                      Total number of Nodes:549
                                                                                                                                                                                                                      Total number of Limit Nodes:66
                                                                                                                                                                                                                      execution_graph 99233 41f0e0 99234 41f0eb 99233->99234 99236 41b940 99233->99236 99237 41b966 99236->99237 99244 409d40 99237->99244 99239 41b972 99243 41b993 99239->99243 99252 40c1c0 99239->99252 99241 41b985 99288 41a680 99241->99288 99243->99234 99291 409c90 99244->99291 99246 409d4d 99247 409d54 99246->99247 99303 409c30 99246->99303 99247->99239 99253 40c1e5 99252->99253 99711 40b1c0 99253->99711 99255 40c23c 99715 40ae40 99255->99715 99257 40c4b3 99257->99241 99258 40c262 99258->99257 99724 4143a0 99258->99724 99260 40c2a7 99260->99257 99727 408a60 99260->99727 99262 40c2eb 99262->99257 99734 41a4d0 99262->99734 99266 40c341 99267 40c348 99266->99267 99746 419fe0 99266->99746 99268 41bd90 2 API calls 99267->99268 99270 40c355 99268->99270 99270->99241 99272 40c392 99273 41bd90 2 API calls 99272->99273 99274 40c399 99273->99274 99274->99241 99275 40c3a2 99276 40f4a0 3 API calls 99275->99276 99277 40c416 99276->99277 99277->99267 99278 40c421 99277->99278 99279 41bd90 2 API calls 99278->99279 99280 40c445 99279->99280 99751 41a030 99280->99751 99283 419fe0 2 API calls 99284 40c480 99283->99284 99284->99257 99756 419df0 99284->99756 99287 41a680 2 API calls 99287->99257 99289 41af30 LdrLoadDll 99288->99289 99290 41a69f ExitProcess 99289->99290 99290->99243 99292 409ca3 99291->99292 99342 418b90 LdrLoadDll 99291->99342 99322 418a40 99292->99322 99295 409cb6 99295->99246 99296 409cac 99296->99295 99325 41b280 99296->99325 99298 409cf3 99298->99295 99336 409ab0 99298->99336 99300 409d13 99343 409620 LdrLoadDll 99300->99343 99302 409d25 99302->99246 99304 409c4a 99303->99304 99305 41b570 LdrLoadDll 99303->99305 99686 41b570 99304->99686 99305->99304 99308 41b570 LdrLoadDll 99309 409c71 99308->99309 99310 40f180 99309->99310 99311 40f199 99310->99311 99694 40b040 99311->99694 99313 40f1ac 99314 40f1bb 99313->99314 99706 41a1b0 99313->99706 99316 409d65 99314->99316 99698 41a7a0 99314->99698 99316->99239 99318 40f1d2 99319 40f1fd 99318->99319 99701 41a230 99318->99701 99320 41a460 2 API calls 99319->99320 99320->99316 99344 41a5d0 99322->99344 99326 41b299 99325->99326 99357 414a50 99326->99357 99328 41b2b1 99329 41b2ba 99328->99329 99396 41b0c0 99328->99396 99329->99298 99331 41b2ce 99331->99329 99414 419ed0 99331->99414 99664 407ea0 99336->99664 99338 409aca 99339 409ad1 99338->99339 99677 408160 99338->99677 99339->99300 99342->99292 99343->99302 99347 41af30 99344->99347 99346 418a55 99346->99296 99348 41af40 99347->99348 99350 41af62 99347->99350 99351 414e50 99348->99351 99350->99346 99352 414e6a 99351->99352 99353 414e5e 99351->99353 99352->99350 99353->99352 99356 4152d0 LdrLoadDll 99353->99356 99355 414fbc 99355->99350 99356->99355 99358 414d85 99357->99358 99360 414a64 99357->99360 99358->99328 99360->99358 99422 419c20 99360->99422 99362 414b90 99425 41a330 99362->99425 99363 414b73 99482 41a430 LdrLoadDll 99363->99482 99366 414b7d 99366->99328 99367 414bb7 99368 41bd90 2 API calls 99367->99368 99370 414bc3 99368->99370 99369 414d49 99372 41a460 2 API calls 99369->99372 99370->99366 99370->99369 99371 414d5f 99370->99371 99376 414c52 99370->99376 99491 414790 LdrLoadDll NtReadFile NtClose 99371->99491 99373 414d50 99372->99373 99373->99328 99375 414d72 99375->99328 99377 414cb9 99376->99377 99378 414c61 99376->99378 99377->99369 99379 414ccc 99377->99379 99381 414c66 99378->99381 99382 414c7a 99378->99382 99484 41a2b0 99379->99484 99483 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99381->99483 99385 414c97 99382->99385 99386 414c7f 99382->99386 99385->99373 99440 414410 99385->99440 99428 4146f0 99386->99428 99388 414c70 99388->99328 99390 414d2c 99488 41a460 99390->99488 99391 414c8d 99391->99328 99394 414caf 99394->99328 99395 414d38 99395->99328 99397 41b0d1 99396->99397 99398 41b0e3 99397->99398 99509 41bd10 99397->99509 99398->99331 99400 41b104 99512 414070 99400->99512 99402 41b150 99402->99331 99403 41b127 99403->99402 99404 414070 3 API calls 99403->99404 99406 41b149 99404->99406 99406->99402 99537 415390 99406->99537 99407 41b1da 99408 41b1ea 99407->99408 99631 41aed0 LdrLoadDll 99407->99631 99547 41ad40 99408->99547 99411 41b218 99626 419e90 99411->99626 99415 419eec 99414->99415 99416 41af30 LdrLoadDll 99414->99416 99658 15a2c0a 99415->99658 99416->99415 99417 419f07 99419 41bd90 99417->99419 99661 41a640 99419->99661 99421 41b329 99421->99298 99423 41af30 LdrLoadDll 99422->99423 99424 414b44 99423->99424 99424->99362 99424->99363 99424->99366 99426 41a34c NtCreateFile 99425->99426 99427 41af30 LdrLoadDll 99425->99427 99426->99367 99427->99426 99429 41470c 99428->99429 99430 41a2b0 LdrLoadDll 99429->99430 99431 41472d 99430->99431 99432 414734 99431->99432 99433 414748 99431->99433 99434 41a460 2 API calls 99432->99434 99435 41a460 2 API calls 99433->99435 99436 41473d 99434->99436 99437 414751 99435->99437 99436->99391 99492 41bfa0 LdrLoadDll RtlAllocateHeap 99437->99492 99439 41475c 99439->99391 99441 41445b 99440->99441 99442 41448e 99440->99442 99443 41a2b0 LdrLoadDll 99441->99443 99444 4145d9 99442->99444 99447 4144aa 99442->99447 99445 414476 99443->99445 99446 41a2b0 LdrLoadDll 99444->99446 99448 41a460 2 API calls 99445->99448 99452 4145f4 99446->99452 99449 41a2b0 LdrLoadDll 99447->99449 99450 41447f 99448->99450 99451 4144c5 99449->99451 99450->99394 99454 4144e1 99451->99454 99455 4144cc 99451->99455 99505 41a2f0 LdrLoadDll 99452->99505 99458 4144e6 99454->99458 99459 4144fc 99454->99459 99457 41a460 2 API calls 99455->99457 99456 41462e 99460 41a460 2 API calls 99456->99460 99461 4144d5 99457->99461 99462 41a460 2 API calls 99458->99462 99468 414501 99459->99468 99493 41bf60 99459->99493 99463 414639 99460->99463 99461->99394 99464 4144ef 99462->99464 99463->99394 99464->99394 99465 414513 99465->99394 99468->99465 99496 41a3e0 99468->99496 99469 414567 99470 41457e 99469->99470 99504 41a270 LdrLoadDll 99469->99504 99472 414585 99470->99472 99473 41459a 99470->99473 99475 41a460 2 API calls 99472->99475 99474 41a460 2 API calls 99473->99474 99476 4145a3 99474->99476 99475->99465 99477 4145cf 99476->99477 99499 41bb60 99476->99499 99477->99394 99479 4145ba 99480 41bd90 2 API calls 99479->99480 99481 4145c3 99480->99481 99481->99394 99482->99366 99483->99388 99485 41af30 LdrLoadDll 99484->99485 99486 414d14 99485->99486 99487 41a2f0 LdrLoadDll 99486->99487 99487->99390 99489 41a47c NtClose 99488->99489 99490 41af30 LdrLoadDll 99488->99490 99489->99395 99490->99489 99491->99375 99492->99439 99506 41a600 99493->99506 99495 41bf78 99495->99468 99497 41a3fc NtReadFile 99496->99497 99498 41af30 LdrLoadDll 99496->99498 99497->99469 99498->99497 99500 41bb84 99499->99500 99501 41bb6d 99499->99501 99500->99479 99501->99500 99502 41bf60 2 API calls 99501->99502 99503 41bb9b 99502->99503 99503->99479 99504->99470 99505->99456 99507 41af30 LdrLoadDll 99506->99507 99508 41a61c RtlAllocateHeap 99507->99508 99508->99495 99510 41bd3d 99509->99510 99632 41a510 99509->99632 99510->99400 99513 414081 99512->99513 99514 414089 99512->99514 99513->99403 99536 41435c 99514->99536 99635 41cf00 99514->99635 99516 4140dd 99517 41cf00 2 API calls 99516->99517 99520 4140e8 99517->99520 99518 414136 99521 41cf00 2 API calls 99518->99521 99520->99518 99640 41cfa0 99520->99640 99523 41414a 99521->99523 99522 41cf00 2 API calls 99525 4141bd 99522->99525 99523->99522 99524 41cf00 2 API calls 99526 414205 99524->99526 99525->99524 99646 41cf60 LdrLoadDll RtlFreeHeap 99526->99646 99528 414334 99647 41cf60 LdrLoadDll RtlFreeHeap 99528->99647 99530 41433e 99648 41cf60 LdrLoadDll RtlFreeHeap 99530->99648 99532 414348 99649 41cf60 LdrLoadDll RtlFreeHeap 99532->99649 99534 414352 99650 41cf60 LdrLoadDll RtlFreeHeap 99534->99650 99536->99403 99538 4153a1 99537->99538 99539 414a50 8 API calls 99538->99539 99541 4153b7 99539->99541 99540 41540a 99540->99407 99541->99540 99542 4153f2 99541->99542 99543 415405 99541->99543 99544 41bd90 2 API calls 99542->99544 99545 41bd90 2 API calls 99543->99545 99546 4153f7 99544->99546 99545->99540 99546->99407 99651 41ac00 99547->99651 99550 41ac00 LdrLoadDll 99551 41ad5d 99550->99551 99552 41ac00 LdrLoadDll 99551->99552 99553 41ad66 99552->99553 99554 41ac00 LdrLoadDll 99553->99554 99555 41ad6f 99554->99555 99556 41ac00 LdrLoadDll 99555->99556 99557 41ad78 99556->99557 99558 41ac00 LdrLoadDll 99557->99558 99559 41ad81 99558->99559 99560 41ac00 LdrLoadDll 99559->99560 99561 41ad8d 99560->99561 99562 41ac00 LdrLoadDll 99561->99562 99563 41ad96 99562->99563 99564 41ac00 LdrLoadDll 99563->99564 99565 41ad9f 99564->99565 99566 41ac00 LdrLoadDll 99565->99566 99567 41ada8 99566->99567 99568 41ac00 LdrLoadDll 99567->99568 99569 41adb1 99568->99569 99570 41ac00 LdrLoadDll 99569->99570 99571 41adba 99570->99571 99572 41ac00 LdrLoadDll 99571->99572 99573 41adc6 99572->99573 99574 41ac00 LdrLoadDll 99573->99574 99575 41adcf 99574->99575 99576 41ac00 LdrLoadDll 99575->99576 99577 41add8 99576->99577 99578 41ac00 LdrLoadDll 99577->99578 99579 41ade1 99578->99579 99580 41ac00 LdrLoadDll 99579->99580 99581 41adea 99580->99581 99582 41ac00 LdrLoadDll 99581->99582 99583 41adf3 99582->99583 99584 41ac00 LdrLoadDll 99583->99584 99585 41adff 99584->99585 99586 41ac00 LdrLoadDll 99585->99586 99587 41ae08 99586->99587 99588 41ac00 LdrLoadDll 99587->99588 99589 41ae11 99588->99589 99590 41ac00 LdrLoadDll 99589->99590 99591 41ae1a 99590->99591 99592 41ac00 LdrLoadDll 99591->99592 99593 41ae23 99592->99593 99594 41ac00 LdrLoadDll 99593->99594 99595 41ae2c 99594->99595 99596 41ac00 LdrLoadDll 99595->99596 99597 41ae38 99596->99597 99598 41ac00 LdrLoadDll 99597->99598 99599 41ae41 99598->99599 99600 41ac00 LdrLoadDll 99599->99600 99601 41ae4a 99600->99601 99602 41ac00 LdrLoadDll 99601->99602 99603 41ae53 99602->99603 99604 41ac00 LdrLoadDll 99603->99604 99605 41ae5c 99604->99605 99606 41ac00 LdrLoadDll 99605->99606 99607 41ae65 99606->99607 99608 41ac00 LdrLoadDll 99607->99608 99609 41ae71 99608->99609 99610 41ac00 LdrLoadDll 99609->99610 99611 41ae7a 99610->99611 99612 41ac00 LdrLoadDll 99611->99612 99613 41ae83 99612->99613 99614 41ac00 LdrLoadDll 99613->99614 99615 41ae8c 99614->99615 99616 41ac00 LdrLoadDll 99615->99616 99617 41ae95 99616->99617 99618 41ac00 LdrLoadDll 99617->99618 99619 41ae9e 99618->99619 99620 41ac00 LdrLoadDll 99619->99620 99621 41aeaa 99620->99621 99622 41ac00 LdrLoadDll 99621->99622 99623 41aeb3 99622->99623 99624 41ac00 LdrLoadDll 99623->99624 99625 41aebc 99624->99625 99625->99411 99627 41af30 LdrLoadDll 99626->99627 99628 419eac 99627->99628 99657 15a2df0 LdrInitializeThunk 99628->99657 99629 419ec3 99629->99331 99631->99408 99633 41a52c NtAllocateVirtualMemory 99632->99633 99634 41af30 LdrLoadDll 99632->99634 99633->99510 99634->99633 99636 41cf10 99635->99636 99637 41cf16 99635->99637 99636->99516 99638 41bf60 2 API calls 99637->99638 99639 41cf3c 99638->99639 99639->99516 99641 41cfc5 99640->99641 99642 41cffd 99640->99642 99643 41bf60 2 API calls 99641->99643 99642->99520 99644 41cfda 99643->99644 99645 41bd90 2 API calls 99644->99645 99645->99642 99646->99528 99647->99530 99648->99532 99649->99534 99650->99536 99652 41ac1b 99651->99652 99653 414e50 LdrLoadDll 99652->99653 99654 41ac3b 99653->99654 99655 414e50 LdrLoadDll 99654->99655 99656 41ace7 99654->99656 99655->99656 99656->99550 99657->99629 99659 15a2c1f LdrInitializeThunk 99658->99659 99660 15a2c11 99658->99660 99659->99417 99660->99417 99662 41af30 LdrLoadDll 99661->99662 99663 41a65c RtlFreeHeap 99662->99663 99663->99421 99665 407eb0 99664->99665 99666 407eab 99664->99666 99667 41bd10 2 API calls 99665->99667 99666->99338 99670 407ed5 99667->99670 99668 407f38 99668->99338 99669 419e90 2 API calls 99669->99670 99670->99668 99670->99669 99671 407f3e 99670->99671 99675 41bd10 2 API calls 99670->99675 99680 41a590 99670->99680 99673 407f64 99671->99673 99674 41a590 2 API calls 99671->99674 99673->99338 99676 407f55 99674->99676 99675->99670 99676->99338 99678 40817e 99677->99678 99679 41a590 2 API calls 99677->99679 99678->99300 99679->99678 99681 41af30 LdrLoadDll 99680->99681 99682 41a5ac 99681->99682 99682->99670 99683 41a5cc 99682->99683 99685 15a2c70 LdrInitializeThunk 99682->99685 99685->99682 99687 41b593 99686->99687 99690 40acf0 99687->99690 99691 40ad14 99690->99691 99692 409c5b 99691->99692 99693 40ad5d LdrLoadDll 99691->99693 99692->99308 99693->99692 99695 40b063 99694->99695 99697 40b0e0 99695->99697 99709 419c60 LdrLoadDll 99695->99709 99697->99313 99699 41af30 LdrLoadDll 99698->99699 99700 41a7bf LookupPrivilegeValueW 99699->99700 99700->99318 99702 41af30 LdrLoadDll 99701->99702 99703 41a24c 99702->99703 99710 15a2ea0 LdrInitializeThunk 99703->99710 99704 41a26b 99704->99319 99707 41af30 LdrLoadDll 99706->99707 99708 41a1cc 99707->99708 99708->99314 99709->99697 99710->99704 99712 40b1f0 99711->99712 99713 40b040 LdrLoadDll 99712->99713 99714 40b204 99713->99714 99714->99255 99716 40ae51 99715->99716 99717 40ae4d 99715->99717 99718 40ae6a 99716->99718 99719 40ae9c 99716->99719 99717->99258 99761 419ca0 LdrLoadDll 99718->99761 99762 419ca0 LdrLoadDll 99719->99762 99721 40aead 99721->99258 99723 40ae8c 99723->99258 99725 40f4a0 3 API calls 99724->99725 99726 4143c6 99724->99726 99725->99726 99726->99260 99728 408a79 99727->99728 99763 4087a0 99727->99763 99730 408a9d 99728->99730 99731 4087a0 19 API calls 99728->99731 99730->99262 99732 408a8a 99731->99732 99732->99730 99781 40f710 10 API calls 99732->99781 99735 41af30 LdrLoadDll 99734->99735 99736 41a4ec 99735->99736 99900 15a2e80 LdrInitializeThunk 99736->99900 99737 40c322 99739 40f4a0 99737->99739 99740 40f4bd 99739->99740 99901 419f90 99740->99901 99743 40f505 99743->99266 99744 419fe0 2 API calls 99745 40f52e 99744->99745 99745->99266 99747 419ffc 99746->99747 99748 41af30 LdrLoadDll 99746->99748 99908 15a2d10 LdrInitializeThunk 99747->99908 99748->99747 99749 40c385 99749->99272 99749->99275 99752 41af30 LdrLoadDll 99751->99752 99753 41a04c 99752->99753 99909 15a2d30 LdrInitializeThunk 99753->99909 99754 40c459 99754->99283 99757 41af30 LdrLoadDll 99756->99757 99758 419e0c 99757->99758 99910 15a2fb0 LdrInitializeThunk 99758->99910 99759 40c4ac 99759->99287 99761->99723 99762->99721 99764 407ea0 4 API calls 99763->99764 99766 4087ba 99763->99766 99764->99766 99765 408a49 99765->99728 99766->99765 99767 408a3f 99766->99767 99771 419ed0 2 API calls 99766->99771 99773 41a460 LdrLoadDll NtClose 99766->99773 99776 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 99766->99776 99779 419df0 2 API calls 99766->99779 99782 419ce0 99766->99782 99785 4085d0 99766->99785 99797 40f5f0 LdrLoadDll NtClose 99766->99797 99798 419d60 LdrLoadDll 99766->99798 99799 419d90 LdrLoadDll 99766->99799 99800 419e20 LdrLoadDll 99766->99800 99801 4083a0 99766->99801 99817 405f60 LdrLoadDll 99766->99817 99768 408160 2 API calls 99767->99768 99768->99765 99771->99766 99773->99766 99776->99766 99779->99766 99781->99730 99783 41af30 LdrLoadDll 99782->99783 99784 419cfc 99783->99784 99784->99766 99786 4085e6 99785->99786 99818 419850 99786->99818 99788 4085ff 99793 408771 99788->99793 99839 4081a0 99788->99839 99790 4086e5 99791 4083a0 11 API calls 99790->99791 99790->99793 99792 408713 99791->99792 99792->99793 99794 419ed0 2 API calls 99792->99794 99793->99766 99795 408748 99794->99795 99795->99793 99796 41a4d0 2 API calls 99795->99796 99796->99793 99797->99766 99798->99766 99799->99766 99800->99766 99802 4083c9 99801->99802 99879 408310 99802->99879 99805 41a4d0 2 API calls 99806 4083dc 99805->99806 99806->99805 99807 408467 99806->99807 99809 408462 99806->99809 99887 40f670 99806->99887 99807->99766 99808 41a460 2 API calls 99810 40849a 99808->99810 99809->99808 99810->99807 99811 419ce0 LdrLoadDll 99810->99811 99812 4084ff 99811->99812 99812->99807 99891 419d20 99812->99891 99814 408563 99814->99807 99815 414a50 8 API calls 99814->99815 99816 4085b8 99815->99816 99816->99766 99817->99766 99819 41bf60 2 API calls 99818->99819 99820 419867 99819->99820 99846 409310 99820->99846 99822 419882 99823 4198c0 99822->99823 99824 4198a9 99822->99824 99827 41bd10 2 API calls 99823->99827 99825 41bd90 2 API calls 99824->99825 99826 4198b6 99825->99826 99826->99788 99828 4198fa 99827->99828 99829 41bd10 2 API calls 99828->99829 99832 419913 99829->99832 99836 419bb4 99832->99836 99852 41bd50 99832->99852 99833 419ba0 99834 41bd90 2 API calls 99833->99834 99835 419baa 99834->99835 99835->99788 99837 41bd90 2 API calls 99836->99837 99838 419c09 99837->99838 99838->99788 99840 40829f 99839->99840 99841 4081b5 99839->99841 99840->99790 99841->99840 99842 414a50 8 API calls 99841->99842 99843 408222 99842->99843 99844 41bd90 2 API calls 99843->99844 99845 408249 99843->99845 99844->99845 99845->99790 99847 409335 99846->99847 99848 40acf0 LdrLoadDll 99847->99848 99849 409368 99848->99849 99851 40938d 99849->99851 99855 40cf20 99849->99855 99851->99822 99873 41a550 99852->99873 99856 40cf4c 99855->99856 99857 41a1b0 LdrLoadDll 99856->99857 99858 40cf65 99857->99858 99859 40cf6c 99858->99859 99866 41a1f0 99858->99866 99859->99851 99863 40cfa7 99864 41a460 2 API calls 99863->99864 99865 40cfca 99864->99865 99865->99851 99867 41a20c 99866->99867 99868 41af30 LdrLoadDll 99866->99868 99872 15a2ca0 LdrInitializeThunk 99867->99872 99868->99867 99869 40cf8f 99869->99859 99871 41a7e0 LdrLoadDll 99869->99871 99871->99863 99872->99869 99874 41af30 LdrLoadDll 99873->99874 99875 41a56c 99874->99875 99878 15a2f90 LdrInitializeThunk 99875->99878 99876 419b99 99876->99833 99876->99836 99878->99876 99880 408328 99879->99880 99881 40acf0 LdrLoadDll 99880->99881 99882 408343 99881->99882 99883 414e50 LdrLoadDll 99882->99883 99884 408353 99883->99884 99885 40835c PostThreadMessageW 99884->99885 99886 408370 99884->99886 99885->99886 99886->99806 99888 40f683 99887->99888 99894 419e60 99888->99894 99892 41af30 LdrLoadDll 99891->99892 99893 419d3c 99892->99893 99893->99814 99895 419e7c 99894->99895 99896 41af30 LdrLoadDll 99894->99896 99899 15a2dd0 LdrInitializeThunk 99895->99899 99896->99895 99897 40f6ae 99897->99806 99899->99897 99900->99737 99902 419fa6 99901->99902 99903 41af30 LdrLoadDll 99902->99903 99904 419fac 99903->99904 99907 15a2f30 LdrInitializeThunk 99904->99907 99905 40f4fe 99905->99743 99905->99744 99907->99905 99908->99749 99909->99754 99910->99759 99912 15a2ad0 LdrInitializeThunk

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0041A3DA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 41a3da-41a429 call 41af30 NtReadFile
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                      • API String ID: 2738559852-782607585
                                                                                                                                                                                                                      • Opcode ID: 757b6e1bc07b3bf09793faee9661551754b0ff6aec0333777d77dda8410c520e
                                                                                                                                                                                                                      • Instruction ID: d9496cab67eccaa2a300e7c2e8500b7217d72c9056333dd282b08d57620d7ac6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 757b6e1bc07b3bf09793faee9661551754b0ff6aec0333777d77dda8410c520e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87F01DB2210148ABCB05DF98D890CEB7BADAF8C314B15869DFD0C97216C634E855CBA0
                                                                                                                                                                                                                      Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 3 41a3e0-41a3f6 4 41a3fc-41a429 NtReadFile 3->4 5 41a3f7 call 41af30 3->5 5->4
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                      • API String ID: 2738559852-782607585
                                                                                                                                                                                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                      • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                                                      Function 0041A2EA Relevance: 1.6, APIs: 1, Instructions: 66filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 204 41a2ea-41a2ee 205 41a2f0-41a329 call 41af30 204->205 206 41a338-41a381 call 41af30 NtCreateFile 204->206
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 94b546fadc3172d4cbd0974d002435d2c170b5460e604780f875a3b40548b332
                                                                                                                                                                                                                      • Instruction ID: 7d927b91c53d99ff772232a7bee72b09811667c0becba63b72a30f99829caa9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94b546fadc3172d4cbd0974d002435d2c170b5460e604780f875a3b40548b332
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE1107B2215209ABCB08DF98DC85DEB77ADAF8C314F05824DFA4DA7241C630E851CBA4
                                                                                                                                                                                                                      Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 227 40acf0-40ad0c 228 40ad14-40ad19 227->228 229 40ad0f call 41cc20 227->229 230 40ad1b-40ad1e 228->230 231 40ad1f-40ad2d call 41d040 228->231 229->228 234 40ad3d-40ad4e call 41b470 231->234 235 40ad2f-40ad3a call 41d2c0 231->235 240 40ad50-40ad64 LdrLoadDll 234->240 241 40ad67-40ad6a 234->241 235->234 240->241
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                                                                                      Function 0041A32A Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 251 41a32a-41a346 252 41a34c-41a381 NtCreateFile 251->252 253 41a347 call 41af30 251->253 253->252
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: ee3695a4899577ce3d874c1ef7f2278fb65b84fc6352f54c306a385979961bef
                                                                                                                                                                                                                      • Instruction ID: 24e128ae343006bbbc751a00b5729f9aa9b5416c578219d56ac147f4e2306034
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee3695a4899577ce3d874c1ef7f2278fb65b84fc6352f54c306a385979961bef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4201B2B2251208AFCB08CF88DC95EEB77ADAF8C754F558248FA1D97245D630E851CBA4
                                                                                                                                                                                                                      Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 254 41a330-41a346 255 41a34c-41a381 NtCreateFile 254->255 256 41a347 call 41af30 254->256 256->255
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                      • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                                                                                      Function 0041A50A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 257 41a50a-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: 78230f0ff9201d4745c2d2b452e3fe21bc602f113a9ce9da4f9caed57fd84e58
                                                                                                                                                                                                                      • Instruction ID: 3214efd615eb7748cce34c0857b00ece96d2b0a482458fe4319a666bc9c2efb0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 78230f0ff9201d4745c2d2b452e3fe21bc602f113a9ce9da4f9caed57fd84e58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBF05EB6210104AFDB14CF88CC80EE77B69AF8C314F158549FE489B241C230E811CFA0
                                                                                                                                                                                                                      Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 260 41a510-41a526 261 41a52c-41a54d NtAllocateVirtualMemory 260->261 262 41a527 call 41af30 260->262 262->261
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                      • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                                                      Function 0041A45E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: 25e6b8735553a4378f13bb0ccfcbc3dfc71a3b5083118c10cb058ef1580ccd1c
                                                                                                                                                                                                                      • Instruction ID: 5c9da78348f1c9ef571b357f18b9320631ab7668477cfade35412350ce0ea39f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 25e6b8735553a4378f13bb0ccfcbc3dfc71a3b5083118c10cb058ef1580ccd1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2E0C272200204BFD720EFA4CC45EDB7B68EF44364F104459F90EAB242C130E511CB90
                                                                                                                                                                                                                      Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                      • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                                                                                      Function 015A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 5966bfc03ea03e1ae3cbee57d5dc93f4cca957ffdcf9300e291bf51276140f0c
                                                                                                                                                                                                                      • Instruction ID: 2424b8027435b4b7d907b0c9f962e3447dc40e8d9f6d1ca8a8155c3fdbd08c5b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5966bfc03ea03e1ae3cbee57d5dc93f4cca957ffdcf9300e291bf51276140f0c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9790026120240003410571584854656404EA7E0211B59D421E1015990DC56589916625
                                                                                                                                                                                                                      Function 015A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 627542758549f342a4b3afa2992c1fab6fe729f9c716ddace34019d8e0311c6f
                                                                                                                                                                                                                      • Instruction ID: 32c1d2896fe3f9d6d6b3fc47a4745cc711b3a972ea02438454d2c44ecaed43ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 627542758549f342a4b3afa2992c1fab6fe729f9c716ddace34019d8e0311c6f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2790023120140802D1807158484468A0049A7D1311F99D415A0026A54DCA558B597BA1
                                                                                                                                                                                                                      Function 015A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 68caca19081cd7626e4f3cc066d4f0952d46bd8ca12dfca8bd7c36a809318510
                                                                                                                                                                                                                      • Instruction ID: b962fa91117b274c754b255b4a4d5417215c070d46d1065e76b2e96e6a242cdd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 68caca19081cd7626e4f3cc066d4f0952d46bd8ca12dfca8bd7c36a809318510
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF900225211400030105B5580B44547008AA7D5361359D421F1016950CD66189615621
                                                                                                                                                                                                                      Function 015A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 62a0df26fad0cef9372d4620631bd20a5fa7ae40ca6dfd2ddbd646fd8802f833
                                                                                                                                                                                                                      • Instruction ID: 0e69662c4dae1b05d69d6cc50691949d38989b0123ad2a708f05085e60622832
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 62a0df26fad0cef9372d4620631bd20a5fa7ae40ca6dfd2ddbd646fd8802f833
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C90022921340002D1807158584864A0049A7D1212F99E815A0016958CC95589695721
                                                                                                                                                                                                                      Function 015A2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 1c52782d5de173e9e36369a52d8b6d39d60f2d4cdf11675de5e1be84710ec97b
                                                                                                                                                                                                                      • Instruction ID: 078cfbd9d828f48b6141e66a924c036cbd1b0c3bafd820f9fd52ff015e138217
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c52782d5de173e9e36369a52d8b6d39d60f2d4cdf11675de5e1be84710ec97b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1090022130140003D140715858586464049F7E1311F59E411E0415954CD95589565722
                                                                                                                                                                                                                      Function 015A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 088cb51cee5f067cc9bd0035d90aed872555aa0358913183ddfc29d39e838c42
                                                                                                                                                                                                                      • Instruction ID: 1a765669c849f1216f939de6050625e06bba3c5618353dc5234ab8a1f736e62b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 088cb51cee5f067cc9bd0035d90aed872555aa0358913183ddfc29d39e838c42
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5900221242441525545B1584844547404AB7E0251799D412A1415D50CC5669956DB21
                                                                                                                                                                                                                      Function 015A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 4c81ede5e3d539b8a7400e1ffbdaff3af37b732945304a049e42157df9f879af
                                                                                                                                                                                                                      • Instruction ID: df5acc3ab0c5e9b8a394be58bf754ef9a7b44e1045f01a52d57b894041f49cbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c81ede5e3d539b8a7400e1ffbdaff3af37b732945304a049e42157df9f879af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1890023120140413D11171584944747004DA7D0251F99D812A0425958DD6968A52A621
                                                                                                                                                                                                                      Function 015A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 07a4816468730281055ca606d698246594a2de73bd9d7f9e50ded03d1d7b3887
                                                                                                                                                                                                                      • Instruction ID: 22f8897e40ffaabad0b342fd0b91b48cc4ac3b9c64e042e8dbc1007ea31d8b0a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 07a4816468730281055ca606d698246594a2de73bd9d7f9e50ded03d1d7b3887
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA90023120148802D1107158884478A0049A7D0311F5DD811A4425A58DC6D589917621
                                                                                                                                                                                                                      Function 015A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 6806df8f7382a015b50996c7f214db2f88faf6f85dddd06960bc04ed5d079573
                                                                                                                                                                                                                      • Instruction ID: a33c1832af029fd5dad653f42d7745237a67b52f9da9d20dc7d43d1b232d52bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6806df8f7382a015b50996c7f214db2f88faf6f85dddd06960bc04ed5d079573
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D90023120140402D100759858486860049A7E0311F59E411A5025955EC6A589916631
                                                                                                                                                                                                                      Function 015A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 138e97d2aba6a13f990257da86790de2b4b0cbbd6ea6741faa3d06b1b9b2bc9c
                                                                                                                                                                                                                      • Instruction ID: bdeb105042c52ab0d5c654168413cdfc3933838184c5e35b12a25a6ede96c119
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 138e97d2aba6a13f990257da86790de2b4b0cbbd6ea6741faa3d06b1b9b2bc9c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D90026134140442D10071584854B460049E7E1311F59D415E1065954DC659CD526626
                                                                                                                                                                                                                      Function 015A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b773697644be91a70782dbb113b1bd36c02b07e9322666100bba6734f3fec8ef
                                                                                                                                                                                                                      • Instruction ID: 5a811c01e7d58f46da70875b20c35496e77c5f07c91c3a997749afee10e48547
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b773697644be91a70782dbb113b1bd36c02b07e9322666100bba6734f3fec8ef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E900221211C0042D20075684C54B470049A7D0313F59D515A0155954CC95589615A21
                                                                                                                                                                                                                      Function 015A2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 8b4a6d75928e05666a82b91954c5d33c685947ff1976bc25f649585172711d06
                                                                                                                                                                                                                      • Instruction ID: af8f38a807160148f940515950e5bafe26b7453d744d5194f45e3e71df395a51
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b4a6d75928e05666a82b91954c5d33c685947ff1976bc25f649585172711d06
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8290023120180402D10071584C5474B0049A7D0312F59D411A1165955DC66589516A71
                                                                                                                                                                                                                      Function 015A2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 06e19f64d43dd1e24f781e96825a8b771537afbd7d8c32b7c3d48f7850294bec
                                                                                                                                                                                                                      • Instruction ID: f80efdd3bbaa20f32fed5b5ef9e6b1e2c7d7018d4269075a7bceae1b92c2c406
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06e19f64d43dd1e24f781e96825a8b771537afbd7d8c32b7c3d48f7850294bec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3190022160140042414071688C849464049BBE1221759D521A0999950DC59989655B65
                                                                                                                                                                                                                      Function 015A2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 12399d8e731e6e94cf43576fe4f0d000b3e0cc98db83ad278ab88d040464282b
                                                                                                                                                                                                                      • Instruction ID: c72c05356aab21fd91da1bd0b9ab3814ca427c107dad00fd67f44e39a467a899
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12399d8e731e6e94cf43576fe4f0d000b3e0cc98db83ad278ab88d040464282b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F90022160140502D10171584844656004EA7D0251F99D422A1025955ECA658A92A631
                                                                                                                                                                                                                      Function 015A2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 5db9979486344700662fb5776df916b7e81d2e1dca0d3209b37008ea24ba4d20
                                                                                                                                                                                                                      • Instruction ID: 93d63cc7d4d794dab7c1e30eee2fbafee6aba75d3740c89b00aef3b553913f99
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5db9979486344700662fb5776df916b7e81d2e1dca0d3209b37008ea24ba4d20
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8090027120140402D140715848447860049A7D0311F59D411A5065954EC6998ED56B65
                                                                                                                                                                                                                      Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                      • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                                                      Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 6 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID: 6EA
                                                                                                                                                                                                                      • API String ID: 1279760036-1400015478
                                                                                                                                                                                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                      • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                                                                                                                                      Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 212 408310-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 221 40835c-40836e PostThreadMessageW 212->221 222 40838e-408392 212->222 223 408370-40838a call 40a480 221->223 224 40838d 221->224 223->224 224->222
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                      • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                                                      Function 0041A791 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 243 41a791-41a79d 244 41a7a0-41a7ba call 41af30 243->244 245 41a723-41a727 243->245 249 41a7bf-41a7d4 LookupPrivilegeValueW 244->249 246 41a72f-41a744 245->246 247 41a72a call 41af30 245->247 247->246
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: 3a095b6fdbfae34f310b3791de5d0685201296881819b5ca00dc2e276e2191ab
                                                                                                                                                                                                                      • Instruction ID: 4f0e51a01ab46be95e7cd7a3d039ee2e35a66bd9743fa429f2e30aff352c1da8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a095b6fdbfae34f310b3791de5d0685201296881819b5ca00dc2e276e2191ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B101ADB52102086BDB10EF59DC80DEB73A9EF88318F01845AF90957342C630E9168AB5
                                                                                                                                                                                                                      Function 0041A632 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 263 41a632-41a656 264 41a65c-41a671 RtlFreeHeap 263->264 265 41a657 call 41af30 263->265 265->264
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                                      • Opcode ID: f49230a00f39b622cdbf99e67a481b45ea0755e82c26f23a6924a4167ca151d4
                                                                                                                                                                                                                      • Instruction ID: ee930675011bf31697f300d8cbe35b02760f94f29c7344f56dc328e1a5823920
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f49230a00f39b622cdbf99e67a481b45ea0755e82c26f23a6924a4167ca151d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15F039B1221204ABD718EF58DC49EE777A9FF48750F118669FA485B242D631E811CBA0
                                                                                                                                                                                                                      Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 266 41a640-41a671 call 41af30 RtlFreeHeap
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                      • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                                                                                                                                      Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                      • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                                                                      Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExitProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 621844428-0
                                                                                                                                                                                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                      • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                                                                                                                                      Function 0040ACE3 Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2202528811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction ID: 05bc5eed07a0c19d6aa88ef3f94ab0c5740ad5768756de9c93d4a761ab8051c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DEB09231A942182AEA74D6D89C06B2AB755DB85712F144296BD2CA67C0E4A22D2041EA
                                                                                                                                                                                                                      Function 015A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: a4418fd0186ac4561789a3bb32a29006ac3d0c5deb95f0a11bec19691d7c5c8f
                                                                                                                                                                                                                      • Instruction ID: 002854d25909da0d1f54e54c18eac486e78d8a12403d6ff9f8502d72c9403792
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4418fd0186ac4561789a3bb32a29006ac3d0c5deb95f0a11bec19691d7c5c8f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6CB09B719415C5D5DA11E7644A0971F794477D0711F59C461D2030A41F4778C1D1E675

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 015E2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-2160512332
                                                                                                                                                                                                                      • Opcode ID: a7078e628074b747bee5729a074190b10e8e92ce527d231480ee77d833eac755
                                                                                                                                                                                                                      • Instruction ID: c6cb4bc8f66b4cc29c346e264403ea10a070f8a2fab61af91e6131b4bfb98c40
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a7078e628074b747bee5729a074190b10e8e92ce527d231480ee77d833eac755
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4929071A08342AFE729DF28C889B6BB7E8BB84754F04491DFA95DF250D770E844CB52
                                                                                                                                                                                                                      Function 01598620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015D540A, 015D5496, 015D5519
                                                                                                                                                                                                                      • Critical section address., xrefs: 015D5502
                                                                                                                                                                                                                      • Invalid debug info address of this critical section, xrefs: 015D54B6
                                                                                                                                                                                                                      • double initialized or corrupted critical section, xrefs: 015D5508
                                                                                                                                                                                                                      • corrupted critical section, xrefs: 015D54C2
                                                                                                                                                                                                                      • Critical section address, xrefs: 015D5425, 015D54BC, 015D5534
                                                                                                                                                                                                                      • Address of the debug info found in the active list., xrefs: 015D54AE, 015D54FA
                                                                                                                                                                                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 015D5543
                                                                                                                                                                                                                      • Critical section debug info address, xrefs: 015D541F, 015D552E
                                                                                                                                                                                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015D54E2
                                                                                                                                                                                                                      • Thread identifier, xrefs: 015D553A
                                                                                                                                                                                                                      • 8, xrefs: 015D52E3
                                                                                                                                                                                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015D54CE
                                                                                                                                                                                                                      • undeleted critical section in freed memory, xrefs: 015D542B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                                                      • API String ID: 0-2368682639
                                                                                                                                                                                                                      • Opcode ID: 57aadec1ce537f49259f75cee906cf0d2dc32d6d24cff732724e463db4b2a31a
                                                                                                                                                                                                                      • Instruction ID: 4d09036da9bc0ff25a839f75cd74df590f8e71c58f73cda8d2cdb382921926fb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57aadec1ce537f49259f75cee906cf0d2dc32d6d24cff732724e463db4b2a31a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8816A71A40359AFDB21CF99CC45BAEBBF5BB48B18F10411AF505BF240E775A940CBA0
                                                                                                                                                                                                                      Function 015929F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 015D2412
                                                                                                                                                                                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 015D2498
                                                                                                                                                                                                                      • @, xrefs: 015D259B
                                                                                                                                                                                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 015D2602
                                                                                                                                                                                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 015D2506
                                                                                                                                                                                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 015D2624
                                                                                                                                                                                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 015D2409
                                                                                                                                                                                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 015D261F
                                                                                                                                                                                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015D24C0
                                                                                                                                                                                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015D25EB
                                                                                                                                                                                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015D22E4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                                                                      • API String ID: 0-4009184096
                                                                                                                                                                                                                      • Opcode ID: 0ae0e13fd3eccbf45ba68bf2baa0f833cd853e494c26c43489eca3e3483f6acc
                                                                                                                                                                                                                      • Instruction ID: f66a457267445c4c49682fef3ae63b897e6fea6ec02a24737fdec0cc25473616
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ae0e13fd3eccbf45ba68bf2baa0f833cd853e494c26c43489eca3e3483f6acc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 290250B1D00269ABDF31DB58CC80BDDB7B8BF54314F4445DAA609AB241EB709E84CF59
                                                                                                                                                                                                                      Function 01608B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                                                                      • API String ID: 0-2515994595
                                                                                                                                                                                                                      • Opcode ID: c7a310e27649ee938b2038dbec5553259d8cfa14506201c574a2ad4c84233be3
                                                                                                                                                                                                                      • Instruction ID: f5b214f2a96bc9df181f3beec91d5b9ad2f9dd7bb7a5825df80e2ce6215baab2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7a310e27649ee938b2038dbec5553259d8cfa14506201c574a2ad4c84233be3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA5190B2904306ABD72ADF188C44BABBBECFFD8750F144A1DE95587281E770D605C792
                                                                                                                                                                                                                      Function 01610274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                                                                      • API String ID: 0-1700792311
                                                                                                                                                                                                                      • Opcode ID: d91af05972d6102c42d0a69a06d7df16029905ceb95adbfd9bfa5969507ba90b
                                                                                                                                                                                                                      • Instruction ID: f551c4454a34d7c89da9273d5f80decba9e9aa153ecdd4beeddf998e50cc8200
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d91af05972d6102c42d0a69a06d7df16029905ceb95adbfd9bfa5969507ba90b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BBD1BC31600686DFDF22DFA9C850AADBBF2FF8A710F08805AF9459B356D7349981CB54
                                                                                                                                                                                                                      Function 015E89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • AVRF: -*- final list of providers -*- , xrefs: 015E8B8F
                                                                                                                                                                                                                      • HandleTraces, xrefs: 015E8C8F
                                                                                                                                                                                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 015E8A67
                                                                                                                                                                                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 015E8A3D
                                                                                                                                                                                                                      • VerifierDebug, xrefs: 015E8CA5
                                                                                                                                                                                                                      • VerifierDlls, xrefs: 015E8CBD
                                                                                                                                                                                                                      • VerifierFlags, xrefs: 015E8C50
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                                                                      • API String ID: 0-3223716464
                                                                                                                                                                                                                      • Opcode ID: ded97f26e516f36fee7b9e00e9d0b182ea19d8444c8f1fe6295e391227a35baf
                                                                                                                                                                                                                      • Instruction ID: aaa6eafd2f2d1a8ace67d8db0cb69db00def9d7a6fecde0b5e73291c8ff9e049
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ded97f26e516f36fee7b9e00e9d0b182ea19d8444c8f1fe6295e391227a35baf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30911172E41712EFDB29EF28CC88B5A7BE9BB94714F444859FA466F240D770AC10C792
                                                                                                                                                                                                                      Function 0156EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                                                                                                      • API String ID: 0-1109411897
                                                                                                                                                                                                                      • Opcode ID: ea192a164f7e6f48626815abe6dc826f5808c088efdb00ab09288ccf27c382d3
                                                                                                                                                                                                                      • Instruction ID: e01c9f15636f0ee9fdc4b5433ad48eb1a22c6deb453ce9971dee44695c71628f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea192a164f7e6f48626815abe6dc826f5808c088efdb00ab09288ccf27c382d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DA22974E0562A8FDB64CF58CCA8BADBBB5BF45704F1442DAD909AB250DB349E81CF40
                                                                                                                                                                                                                      Function 015963FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-792281065
                                                                                                                                                                                                                      • Opcode ID: bf08f149f72bd4d6a3aede8637c2eb20c206829708ff27c08e2df6e1ceaec155
                                                                                                                                                                                                                      • Instruction ID: 3602186ac8cc1510ad7b753ff8924993dc72e88fe4c22d52d2061676cf028126
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf08f149f72bd4d6a3aede8637c2eb20c206829708ff27c08e2df6e1ceaec155
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10912871B403169BEF35DFACDC89BAE7BA1FB81B24F440129E9056F681D7709801CB92
                                                                                                                                                                                                                      Function 0155645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Loading the shim user DLL failed with status 0x%08lx, xrefs: 015B9A2A
                                                                                                                                                                                                                      • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 015B99ED
                                                                                                                                                                                                                      • LdrpInitShimEngine, xrefs: 015B99F4, 015B9A07, 015B9A30
                                                                                                                                                                                                                      • Getting the shim user exports failed with status 0x%08lx, xrefs: 015B9A01
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015B9A11, 015B9A3A
                                                                                                                                                                                                                      • apphelp.dll, xrefs: 01556496
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-204845295
                                                                                                                                                                                                                      • Opcode ID: 4f0d68bace4ef45ede14587e762e1c42464ffba71244c5f6577c2c41b47e0b83
                                                                                                                                                                                                                      • Instruction ID: c3eaaa538e3d11ca5661a224dcd6765ead4aacf9f9f63bde68eac3df36fac901
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f0d68bace4ef45ede14587e762e1c42464ffba71244c5f6577c2c41b47e0b83
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3151B1712483469FD720DF25DC91AAB7BE9FB84748F80091EFA859F250D7B0E904CB92
                                                                                                                                                                                                                      Function 01592674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015D21BF
                                                                                                                                                                                                                      • RtlGetAssemblyStorageRoot, xrefs: 015D2160, 015D219A, 015D21BA
                                                                                                                                                                                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 015D219F
                                                                                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 015D2178
                                                                                                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 015D2165
                                                                                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 015D2180
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                                                      • API String ID: 0-861424205
                                                                                                                                                                                                                      • Opcode ID: 03b7ec8ea0470f342af95fff306b3fcb5cb0e515ba67e4093f11f860e4c07235
                                                                                                                                                                                                                      • Instruction ID: 75cee79974324997dd350cb202664a4813d0b2c2152c2cdb92b632c70fbc843d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03b7ec8ea0470f342af95fff306b3fcb5cb0e515ba67e4093f11f860e4c07235
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B731E536F40216B7FB218AAA8C45F5E7BA8FBA5A54F054059FA04BF240D7709A00C7A2
                                                                                                                                                                                                                      Function 0159C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpInitializeProcess, xrefs: 0159C6C4
                                                                                                                                                                                                                      • Loading import redirection DLL: '%wZ', xrefs: 015D8170
                                                                                                                                                                                                                      • LdrpInitializeImportRedirection, xrefs: 015D8177, 015D81EB
                                                                                                                                                                                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 015D81E5
                                                                                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 015D8181, 015D81F5
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0159C6C3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                      • API String ID: 0-475462383
                                                                                                                                                                                                                      • Opcode ID: 2ab4074f8e3f32e62bd00926ce04c42361d21c2959e39254c5bff623281dc850
                                                                                                                                                                                                                      • Instruction ID: 01fce0de49be0e28a4feab8a457d9fc13ed0da9f897c5081af62fa67f946c1fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ab4074f8e3f32e62bd00926ce04c42361d21c2959e39254c5bff623281dc850
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8831EE71A443179BC324EA2CDC46E2ABBE4FBD4B14F000518F985AF291E660EC04CBA2
                                                                                                                                                                                                                      Function 015A096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 015A2DF0: LdrInitializeThunk.NTDLL ref: 015A2DFA
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015A0BA3
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015A0BB6
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015A0D60
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015A0D74
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1404860816-0
                                                                                                                                                                                                                      • Opcode ID: 449d9ec6cfff596bae09df2272d2392183737258430a211b35954a1481ef344a
                                                                                                                                                                                                                      • Instruction ID: 15e405dcfca5caa4bb27654e203de6ad419217815a74df7316a65c105cfe6ec6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 449d9ec6cfff596bae09df2272d2392183737258430a211b35954a1481ef344a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5426C71940716DFDB21CF28C880BAAB7F4BF44314F5485A9E989EF241E770AA85CF61
                                                                                                                                                                                                                      Function 0156A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                                                                      • API String ID: 0-379654539
                                                                                                                                                                                                                      • Opcode ID: 6785ea7d5b22da914cc44b0933b0d498030267080a9201f9b0d0f5b55d36297e
                                                                                                                                                                                                                      • Instruction ID: ecfde577ecb5707aaf0026a64534a08db766aed3dbf43b4b9ac5e786316ff526
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6785ea7d5b22da914cc44b0933b0d498030267080a9201f9b0d0f5b55d36297e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38C18A74508382CFDB21CF58C440B6AB7E8BF94704F04896EF996AF251E774D949CBA2
                                                                                                                                                                                                                      Function 01598402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • @, xrefs: 01598591
                                                                                                                                                                                                                      • LdrpInitializeProcess, xrefs: 01598422
                                                                                                                                                                                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0159855E
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01598421
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-1918872054
                                                                                                                                                                                                                      • Opcode ID: a90dddc8adcf17f7d3feb6959b34ba1fed7744866ec9fe4fde06829e7f7935e3
                                                                                                                                                                                                                      • Instruction ID: 88fa0bc551cba9957254db4217772810fb78d12a1bd3016c77164517fb387486
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a90dddc8adcf17f7d3feb6959b34ba1fed7744866ec9fe4fde06829e7f7935e3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD919B7155834AAFDB21DE65CC81EAFBBE8BF85744F40492EFA849A151E330D904CB63
                                                                                                                                                                                                                      Function 0159273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 015D22B6
                                                                                                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 015D21DE
                                                                                                                                                                                                                      • .Local, xrefs: 015928D8
                                                                                                                                                                                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015D21D9, 015D22B1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                                                                      • API String ID: 0-1239276146
                                                                                                                                                                                                                      • Opcode ID: 616aa5ee3b5e864859f68d3c1391c6fca6c5e239e30d92ae087b3d4722f42bcb
                                                                                                                                                                                                                      • Instruction ID: b9fea343aac20a6a2f4d115c06bbf1eb9cef8040805919e99861eb171eda26d3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 616aa5ee3b5e864859f68d3c1391c6fca6c5e239e30d92ae087b3d4722f42bcb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2A19B3190022AEBDF24CF68D884BA9B7B5BF58354F1445EAE908AF251D7309EC0CF91
                                                                                                                                                                                                                      Function 01594AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 015D342A
                                                                                                                                                                                                                      • RtlDeactivateActivationContext, xrefs: 015D3425, 015D3432, 015D3451
                                                                                                                                                                                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 015D3456
                                                                                                                                                                                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 015D3437
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                                                                      • API String ID: 0-1245972979
                                                                                                                                                                                                                      • Opcode ID: 08ab6c01e4e5d51cdeb75621d4a0d3334877aab4cd8a883d4bdd615b654c5242
                                                                                                                                                                                                                      • Instruction ID: b13c5f0a7e8d0d01593f26ce2d4b674a3e4b61e1980384ae4c540043371230da
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 08ab6c01e4e5d51cdeb75621d4a0d3334877aab4cd8a883d4bdd615b654c5242
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD611076610B129FDB728F1CC945B2AB7E5BF80B60F148529E9959F240D738EC02CB92
                                                                                                                                                                                                                      Function 015664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015C10AE
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 015C0FE5
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 015C1028
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 015C106B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                                                                      • API String ID: 0-1468400865
                                                                                                                                                                                                                      • Opcode ID: 5fca749158377836d745c838f3e0ca9f9ff896e59f75391ef5ebce179b6d70b1
                                                                                                                                                                                                                      • Instruction ID: 2c60d929e372c0e62ab044792b334b0835591920fb12546b94146e03b22e1671
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5fca749158377836d745c838f3e0ca9f9ff896e59f75391ef5ebce179b6d70b1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C071C0B19043469FCB21DF54C886B9B7BACBFA5764F800469F9488F186D734D588CBD1
                                                                                                                                                                                                                      Function 0158245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 015CA992
                                                                                                                                                                                                                      • LdrpDynamicShimModule, xrefs: 015CA998
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015CA9A2
                                                                                                                                                                                                                      • apphelp.dll, xrefs: 01582462
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-176724104
                                                                                                                                                                                                                      • Opcode ID: 8f2acf3290d579f6861ad2a06a0770adc53b76f7b407a2ef7f5dc74ffc578916
                                                                                                                                                                                                                      • Instruction ID: 54f15401bd6e9788bfea56cba6a6b778369cc39488398278511792b6c03ebf24
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f2acf3290d579f6861ad2a06a0770adc53b76f7b407a2ef7f5dc74ffc578916
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B531F375A00306ABD735DF9DDC46AAABBB4FB80B44F16001DE8016F255D7B05891C790
                                                                                                                                                                                                                      Function 015729A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0157327D
                                                                                                                                                                                                                      • HEAP[%wZ]: , xrefs: 01573255
                                                                                                                                                                                                                      • HEAP: , xrefs: 01573264
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                                                                      • API String ID: 0-617086771
                                                                                                                                                                                                                      • Opcode ID: 8b762902d1688e509f6f3557627457bacda01d4856573129d1a59fc6963c0890
                                                                                                                                                                                                                      • Instruction ID: 8b2624aa579a846abfb89192f14e1c51486e56ff8840f2753e13b92f1cea2b99
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b762902d1688e509f6f3557627457bacda01d4856573129d1a59fc6963c0890
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB92DC71A042499FDB25CF68E446BAEBBF1FF48310F188499E899AF351D334A941DF50
                                                                                                                                                                                                                      Function 01570770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-4253913091
                                                                                                                                                                                                                      • Opcode ID: 6d0010da3045a2f106eb79ab5aab70af392b10744fe2c9c832a442cc817e1a71
                                                                                                                                                                                                                      • Instruction ID: 638f6f3bdd835eeb471186ec15418a719eba8cf3e7da8bc418cb31b95aff2ab9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d0010da3045a2f106eb79ab5aab70af392b10744fe2c9c832a442cc817e1a71
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7F18870700606DFEB25CFA8D895B6AB7F6FB85704F1485A8E5469F381E730E981CB90
                                                                                                                                                                                                                      Function 01586962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: $@
                                                                                                                                                                                                                      • API String ID: 2994545307-1077428164
                                                                                                                                                                                                                      • Opcode ID: dfa3441e711f82cd0c1a5318681baa4509b2b1b14c3f672f94ec5d02913515cf
                                                                                                                                                                                                                      • Instruction ID: c7dc522f11842aad6f0c7025c76788fb7139175987423482034f55a4aa67c69e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dfa3441e711f82cd0c1a5318681baa4509b2b1b14c3f672f94ec5d02913515cf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F2C2AC716083418FEB25DF68C881BAFBBE5BFC8714F14892DE9899B241D734D845CB62
                                                                                                                                                                                                                      Function 0155A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                                                      • API String ID: 0-2779062949
                                                                                                                                                                                                                      • Opcode ID: 73d0ab9ac6e8867e034af45e871ad5b9aad281b73ef641c9a0afa8fb1d5ac7bc
                                                                                                                                                                                                                      • Instruction ID: ac7ffe087e84272e8ba6af4b025283e5f3cb5a140693b10e5b1bd187a0a6995f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73d0ab9ac6e8867e034af45e871ad5b9aad281b73ef641c9a0afa8fb1d5ac7bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4A16C7191162A9BDB219F68CC89BEDB7B8FF44700F0001EAE909AB250E7359E84CF54
                                                                                                                                                                                                                      Function 01580BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpCheckModule, xrefs: 015CA117
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015CA121
                                                                                                                                                                                                                      • Failed to allocated memory for shimmed module list, xrefs: 015CA10F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-161242083
                                                                                                                                                                                                                      • Opcode ID: aaf48570a68944fde102e483a4de077c761a37fac9853f194afce835cfb8059f
                                                                                                                                                                                                                      • Instruction ID: b03ed3c087b9114fa2e4665b372bd00b1e690ff2a7595d459502c4f41f3d98d3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aaf48570a68944fde102e483a4de077c761a37fac9853f194afce835cfb8059f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E71AE71A00306DFDB25EFA8CD85AAEBBF4FB84604F14446DE802AF251E734A945CB50
                                                                                                                                                                                                                      Function 01570A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-1334570610
                                                                                                                                                                                                                      • Opcode ID: 1afb1e81a7b6ca38c0fa6770d909eac1a063077fabfd3fa3acbda405e66d1ddc
                                                                                                                                                                                                                      • Instruction ID: 89b7066390603ed7ea87d00613b60ce24e14321d6677b48ed75588d44617d444
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1afb1e81a7b6ca38c0fa6770d909eac1a063077fabfd3fa3acbda405e66d1ddc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF61CE706103029FDB29DF68D845B6ABBE1FF46B04F14855EE8498F282D7B0E981CB90
                                                                                                                                                                                                                      Function 0159C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 015D82DE
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015D82E8
                                                                                                                                                                                                                      • Failed to reallocate the system dirs string !, xrefs: 015D82D7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-1783798831
                                                                                                                                                                                                                      • Opcode ID: 7900917b486ec65c9fed62dc2bdc1ced1d3088bf9a108e9572dbf74783306658
                                                                                                                                                                                                                      • Instruction ID: 88fd70da565884e6672ffed4edb3718c35003de4843e90f3e72d083f88ca0c22
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7900917b486ec65c9fed62dc2bdc1ced1d3088bf9a108e9572dbf74783306658
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE41CF71554312ABDB31EB68EC45B5F77E8FB84760F00592AF9489B290E774D810CBA2
                                                                                                                                                                                                                      Function 0161C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0161C1C5
                                                                                                                                                                                                                      • @, xrefs: 0161C1F1
                                                                                                                                                                                                                      • PreferredUILanguages, xrefs: 0161C212
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                                                                      • API String ID: 0-2968386058
                                                                                                                                                                                                                      • Opcode ID: 302841dfdce6238d5a6905186eaaadb6c8e7443db1a4443f86aff36eda27198d
                                                                                                                                                                                                                      • Instruction ID: 586370772e299a7ecc36b7fcc701a7508e32b4ec17536664d044146117f4197a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 302841dfdce6238d5a6905186eaaadb6c8e7443db1a4443f86aff36eda27198d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4418272E4020AEBDF11DBD8CC51FEEBBB8BB54710F18806AEA09F7244D7749A458B50
                                                                                                                                                                                                                      Function 015F4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                                                                      • API String ID: 0-1373925480
                                                                                                                                                                                                                      • Opcode ID: b8499fa3a7468a4679ca953b8d540e0d9f6ffbf1660b42bfdbb251b80a0bc3f5
                                                                                                                                                                                                                      • Instruction ID: d1fe9600b9058eb6be141ac09f47b47e51735a33e75f8c4c0b4a9056a49dd172
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b8499fa3a7468a4679ca953b8d540e0d9f6ffbf1660b42bfdbb251b80a0bc3f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B410431A006598BEB25DBE8D844BAEBBF9FF95340F14046EDA01EF781DB348901CB11
                                                                                                                                                                                                                      Function 015E4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpCheckRedirection, xrefs: 015E488F
                                                                                                                                                                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 015E4888
                                                                                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 015E4899
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                      • API String ID: 0-3154609507
                                                                                                                                                                                                                      • Opcode ID: 8d49cfb3b17e09e07ed4003ff937fd06179429df2780314e66d8fd7ae1d2acf0
                                                                                                                                                                                                                      • Instruction ID: d723f829bf00631b39f54bf086da7a0b7703a7f37b9744ebf12d56a4ecd0db0d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8d49cfb3b17e09e07ed4003ff937fd06179429df2780314e66d8fd7ae1d2acf0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C41B072E087519BCB29CE6DD848A2A7BE5BF89A50F05055DED49DF211D730DC01CBD1
                                                                                                                                                                                                                      Function 01570BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-2558761708
                                                                                                                                                                                                                      • Opcode ID: 027f70e8c6c3627e8215e02333492e2b5a7bd580e777e80eea1b2e99f4246bf9
                                                                                                                                                                                                                      • Instruction ID: 2f7df51da19deb448e9cfd6e568763b5a3546380a1222047d7aac62466c4025e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 027f70e8c6c3627e8215e02333492e2b5a7bd580e777e80eea1b2e99f4246bf9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3311AE313241029FD719CE58D896B3DF3E5BF82A15F14855EF40ACF291EB24E841C750
                                                                                                                                                                                                                      Function 015E20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpInitializationFailure, xrefs: 015E20FA
                                                                                                                                                                                                                      • Process initialization failed with status 0x%08lx, xrefs: 015E20F3
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015E2104
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-2986994758
                                                                                                                                                                                                                      • Opcode ID: 5b776858cc54f659b86a098968b11d96738eca7c1c258ab89c72c012af250e88
                                                                                                                                                                                                                      • Instruction ID: 358617a47d0b3183df0d1ee4c424324df899dd5c7d5eb30a178c6a73322bf68e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b776858cc54f659b86a098968b11d96738eca7c1c258ab89c72c012af250e88
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8EF0C835A803197BE728D64DDC4AFAD3BACFB80B94F500059F6416F685D2F0A650CA51
                                                                                                                                                                                                                      Function 015703E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: #%u
                                                                                                                                                                                                                      • API String ID: 48624451-232158463
                                                                                                                                                                                                                      • Opcode ID: f48bc2155b95c92ab7e63c3929f4fa5b07afe4168c1521ba0584233c64ba35bf
                                                                                                                                                                                                                      • Instruction ID: 86ca5ca748e701f48eb4c397cbd46ffa4e5015163cc1e8b8c1db587dc954f1ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f48bc2155b95c92ab7e63c3929f4fa5b07afe4168c1521ba0584233c64ba35bf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6715A71A0010A9FDB05DFA8D995FAEBBF8FF48704F144069E905AB291EB34E901CB61
                                                                                                                                                                                                                      Function 0156A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrResSearchResource Exit, xrefs: 0156AA25
                                                                                                                                                                                                                      • LdrResSearchResource Enter, xrefs: 0156AA13
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                                                                      • API String ID: 0-4066393604
                                                                                                                                                                                                                      • Opcode ID: fea51824f888e1786050000a2f4b8b6e14e47483c18614ae173a486113555108
                                                                                                                                                                                                                      • Instruction ID: f2c13c7baf6cdcd6376902ba9eebe36693f02d03fc73d07ce0ed0c28860e4821
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fea51824f888e1786050000a2f4b8b6e14e47483c18614ae173a486113555108
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19E14E71A0021A9FEB22CED9C980BAEBBBDFF45710F14452AE911FF251D7749941CB90
                                                                                                                                                                                                                      Function 0162A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: `$`
                                                                                                                                                                                                                      • API String ID: 0-197956300
                                                                                                                                                                                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                      • Instruction ID: 178e05dcbba519333b4b3a36aa888149f45ef8687591e28307578a92fa8aa1b8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17C1BE31204B629BE724CF68CC41B6BBBE6AFD4318F084A2DF6968B690D7B4D505CF45
                                                                                                                                                                                                                      Function 015DE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: Legacy$UEFI
                                                                                                                                                                                                                      • API String ID: 2994545307-634100481
                                                                                                                                                                                                                      • Opcode ID: cbd273d50b00f63ca59a39ce41ee3d84658200c8046e3baf7fe7886d8d796fc7
                                                                                                                                                                                                                      • Instruction ID: a74450477723ab3cb95511dd04a067cfd4803bdb3acd693512572146eea4d064
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cbd273d50b00f63ca59a39ce41ee3d84658200c8046e3baf7fe7886d8d796fc7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D9614971E406099FDB25DFA8C882BAEBBF9FB48700F14446DE649EF291D731A941CB50
                                                                                                                                                                                                                      Function 016043D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$MUI
                                                                                                                                                                                                                      • API String ID: 0-17815947
                                                                                                                                                                                                                      • Opcode ID: 9d1edd04207167e84167b67fdc383db68c6afea11e42cd617d0cdca3b738cbb2
                                                                                                                                                                                                                      • Instruction ID: 1846c3cceb958b092542699a3ed5d8b22e432340a7b96ee84baeaff0aa3273a2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d1edd04207167e84167b67fdc383db68c6afea11e42cd617d0cdca3b738cbb2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D510A71D4021EAEDB16DFA5CC81AEFBBBCFB44654F100529E611BB290DB319D058B60
                                                                                                                                                                                                                      Function 015604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • kLsE, xrefs: 01560540
                                                                                                                                                                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0156063D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                                                      • API String ID: 0-2547482624
                                                                                                                                                                                                                      • Opcode ID: 3fc984f39ec469b3baf3ff617a4436e6dc0166b322c01be58f5827507b62e3f2
                                                                                                                                                                                                                      • Instruction ID: 56ba19ea42a14ac608086d7a0ab279ab11f9913d219d8e64ca139055adcede3a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3fc984f39ec469b3baf3ff617a4436e6dc0166b322c01be58f5827507b62e3f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5519F715147428BD725EF68C5406ABBBE8BF84304F10483EF69A8B281E774D945CFE2
                                                                                                                                                                                                                      Function 0156A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 0156A2FB
                                                                                                                                                                                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 0156A309
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                                                      • API String ID: 0-2876891731
                                                                                                                                                                                                                      • Opcode ID: 6feb630945b7fdc069c1eb4333e3b2176f1b962fc6cb430c68694fd8fa0cc4ef
                                                                                                                                                                                                                      • Instruction ID: 49fe5cf16a294e6a4dd851d2024838b1a66c8a0bac6d3d5b55be03da7ec2e1cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6feb630945b7fdc069c1eb4333e3b2176f1b962fc6cb430c68694fd8fa0cc4ef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 85418A30B04646DFDB258F99C840B6E7BF8BF85714F1444A9EA10EF295E6B5D940CB90
                                                                                                                                                                                                                      Function 0159A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                                                      • API String ID: 2994545307-4008356553
                                                                                                                                                                                                                      • Opcode ID: 15b18b91d99eab5b93e3b92c909ae040fd0f8b61d5fd283fb47ef4dc46b8865b
                                                                                                                                                                                                                      • Instruction ID: 9fef43d8e0172643870cae2298ac1894d745b49c6fa5b449d55d9475c29d9dc5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15b18b91d99eab5b93e3b92c909ae040fd0f8b61d5fd283fb47ef4dc46b8865b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C01D1B2654704AFD311DF24CD45B167BE8F784716F018939A648CB190E374D804CBA6
                                                                                                                                                                                                                      Function 0156C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: MUI
                                                                                                                                                                                                                      • API String ID: 0-1339004836
                                                                                                                                                                                                                      • Opcode ID: 01c2dc5501dc694a77c0d44758aa910fb8873611a9a853c9399e6f3d5bc43deb
                                                                                                                                                                                                                      • Instruction ID: 8a6439ee86ce23736b275efdd805bb7ff054b18b2c23b2918883e27c320e1279
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01c2dc5501dc694a77c0d44758aa910fb8873611a9a853c9399e6f3d5bc43deb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C827B75E002598FEB24CFA9C880BEDBBB9BF48310F148569D999AF351DB709D41CB90
                                                                                                                                                                                                                      Function 015E6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                                                                                      • Opcode ID: 67d0b6c164ee8116f8f707ead464c5a5ecda93865a80260141736df096592e82
                                                                                                                                                                                                                      • Instruction ID: 6d65352e66dbe4e9ffc917adca0d2afaea07ecc3fe23531198703e102870b22b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 67d0b6c164ee8116f8f707ead464c5a5ecda93865a80260141736df096592e82
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64914F71A5021AAFEB25EB95DD85FAEBBB8FF54B50F500055F600BF190D674E900CBA0
                                                                                                                                                                                                                      Function 0160E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                                                                                      • Opcode ID: c19bcfda88c0de7372b514a646d55eb722e440ddd73d553f339384b3e5587b94
                                                                                                                                                                                                                      • Instruction ID: 3ca91dba0ce4864ce09bb38706fac8864337c349435d6fb40292a3ece6a18f25
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c19bcfda88c0de7372b514a646d55eb722e440ddd73d553f339384b3e5587b94
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1691C13190121ABEDB2BABA5DC44FAFBF79FF85750F100429F501AB290D7769902CB51
                                                                                                                                                                                                                      Function 0159A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: GlobalTags
                                                                                                                                                                                                                      • API String ID: 0-1106856819
                                                                                                                                                                                                                      • Opcode ID: 085c6346e8d0158048006b1a5d4578668770650e595166eb74a9404a947644dd
                                                                                                                                                                                                                      • Instruction ID: e2d2b27108d4503a014793bc71b8c17b2eb53b9bf641fe87730c51900ae71874
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 085c6346e8d0158048006b1a5d4578668770650e595166eb74a9404a947644dd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8716DB5E0020ADFDF28DF9CD5916ADBBF1BF98710F14852EE905AB241E7309942CB60
                                                                                                                                                                                                                      Function 01604978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .mui
                                                                                                                                                                                                                      • API String ID: 0-1199573805
                                                                                                                                                                                                                      • Opcode ID: 11000413cfc3a96883f831070abc83ac9f00483f217f21ff17195e119286b2a6
                                                                                                                                                                                                                      • Instruction ID: 6cd1a6b7ee0029d0de2f31d6bb6bd996137ccbb4a191c75359c9d51869fc68fb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11000413cfc3a96883f831070abc83ac9f00483f217f21ff17195e119286b2a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66519472D006269BDB26DF99DC40AAFBBB4BF48710F054169EE11BB394DB749801CBE4
                                                                                                                                                                                                                      Function 0157E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: EXT-
                                                                                                                                                                                                                      • API String ID: 0-1948896318
                                                                                                                                                                                                                      • Opcode ID: f81e5198fad1f680b38034fed2d52e021e505d9a56ec294868b50cf0c192b27f
                                                                                                                                                                                                                      • Instruction ID: c276aa31e1ff5013c01dca9953b04308a8aa65c7878d22dfc5d6bbe209bbedee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f81e5198fad1f680b38034fed2d52e021e505d9a56ec294868b50cf0c192b27f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E4191725083929BD711DA79E882B6FBBE8FFC8714F44096DF984EF140E674D9048792
                                                                                                                                                                                                                      Function 015DC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: BinaryHash
                                                                                                                                                                                                                      • API String ID: 0-2202222882
                                                                                                                                                                                                                      • Opcode ID: e886d9c6700660da9179c404a971f6b512a519925182982b2537ccddfd826412
                                                                                                                                                                                                                      • Instruction ID: c4d2ab14e7ca3d46c1608e8f29e26a6d8e77af7b9180ab7fd1939671e31cdb3d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e886d9c6700660da9179c404a971f6b512a519925182982b2537ccddfd826412
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 854133B1D4012EABDB21DA64CC85FDEB77CBB44714F4045A9A708AF140DB709E89CFA4
                                                                                                                                                                                                                      Function 015F6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: #
                                                                                                                                                                                                                      • API String ID: 0-1885708031
                                                                                                                                                                                                                      • Opcode ID: 8bb7e5047a885dd5e1dccab6a35f3e6204860a09aa13f3b8b54d1a62b0ae0bac
                                                                                                                                                                                                                      • Instruction ID: fc7d403aeb2738fa22e8ff4714f47200b4c5647b485bb1df83c5857a65d6fac8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8bb7e5047a885dd5e1dccab6a35f3e6204860a09aa13f3b8b54d1a62b0ae0bac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D531F631A407199AEB22DB69C854BAE7BA8FF45704F54406CEA81AF282D775EC05CB50
                                                                                                                                                                                                                      Function 015DCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: BinaryName
                                                                                                                                                                                                                      • API String ID: 0-215506332
                                                                                                                                                                                                                      • Opcode ID: f0bfb274d3f90c8e0c906dad6ddb6b9c27dc17d201d37fc6347f376b7422ff8e
                                                                                                                                                                                                                      • Instruction ID: 85364098879195a83a20626e82fecd1e92fc7c5ef192801ce4acdedf21d8ed3e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0bfb274d3f90c8e0c906dad6ddb6b9c27dc17d201d37fc6347f376b7422ff8e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0431DF7690051AAFEB26DA5DC845E6FBBB4FB80720F41456DE905AF250D730EE04EBE0
                                                                                                                                                                                                                      Function 015E892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 015E895E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                                                      • API String ID: 0-702105204
                                                                                                                                                                                                                      • Opcode ID: c64f99a3d98a8181cb6ab650198886fdef0741c780eaed0cb6573e60eb13b02e
                                                                                                                                                                                                                      • Instruction ID: 06c8a24cc315c2c8ae5d7fd9900ca253fe7b3afbeefb0d1bdf85715e2a6d7b26
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c64f99a3d98a8181cb6ab650198886fdef0741c780eaed0cb6573e60eb13b02e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A01F732E103129BE7399A559C8CA5A7BE5FFC1294F04145CF6424F551CB20A840C792
                                                                                                                                                                                                                      Function 01602000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f8d0c45f91b3a098992ba1b85390e61f8a145be36527a47e3b853873710d76b3
                                                                                                                                                                                                                      • Instruction ID: 948737ea8e2186e6871e1d6519a762f39e00303ed0b7b2ddbbceda2e6df51738
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8d0c45f91b3a098992ba1b85390e61f8a145be36527a47e3b853873710d76b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C42D2356083019FD72ACF68CCA4A6BBBE5BF88700F09492DFA8697390D771D945CB52
                                                                                                                                                                                                                      Function 015F8158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ea13301ef90a48a20c4ca37f56de0e346ce588405318eefb054262bc8afb34d5
                                                                                                                                                                                                                      • Instruction ID: 69623b919d9a9bf8030bc95a0079ec0631244cdbfee9a8943ecf14a3b2dc23fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea13301ef90a48a20c4ca37f56de0e346ce588405318eefb054262bc8afb34d5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 76423D75A102199FEB24CF69C841BADBBF6BF88300F14819DEA49EB251D734A985CF50
                                                                                                                                                                                                                      Function 01572840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 43bcccebfd9508a6371276ce5905f216e8f4c71c0155aad7aacdfa36580db61d
                                                                                                                                                                                                                      • Instruction ID: 9ad7c6ed6a97fcc684e362f1de65f025e868ccd8bbbeae06e686cf43a0c0cb24
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43bcccebfd9508a6371276ce5905f216e8f4c71c0155aad7aacdfa36580db61d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F32B970A007568FDB25CFA9C8547AEBBF2BF84B04F24451DD5869F384D735AA42CB90
                                                                                                                                                                                                                      Function 0160A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 069f5bed3659584fda703a036905140d77c211f08b8d21f37a10f78e1296b7c3
                                                                                                                                                                                                                      • Instruction ID: 23e67bbbebfbe37033dee99767cac376b5b45911d11070eee12cebad469051c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 069f5bed3659584fda703a036905140d77c211f08b8d21f37a10f78e1296b7c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2522AD742147618BEB2ECFA9C890777BBF1AF44380F088599D9868B3C6E775D452CB60
                                                                                                                                                                                                                      Function 01566A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7693eb0f02cce1b08e41b9074a6aa31d2eb03940281a800d1e7ddcd523122638
                                                                                                                                                                                                                      • Instruction ID: 691609c0839efbbf0c7ae312bbeb7346a02aab8a5f44665c286f70216adfc0ff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7693eb0f02cce1b08e41b9074a6aa31d2eb03940281a800d1e7ddcd523122638
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32328E75A00615CFDB25CFA8C880AAEBBF5FF88310F148569E956AF352D774E841CB90
                                                                                                                                                                                                                      Function 01584A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                      • Instruction ID: 47c307e6a3d9e652830632cb44364a58e4d9c98b29410015a2ed1480639be3c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4FF13771E0121A9BDB15DFA9C980BAEBBF9BF48754F088529ED05AF240E774D841CB60
                                                                                                                                                                                                                      Function 015F892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1b989e68027e87fb36227167b4e41165e98bb8dcc420d73c13b4ac55ff3e4ba5
                                                                                                                                                                                                                      • Instruction ID: c3ff5e9b420e2ea2fe5654dc668772d96c1d57467dcf870928c8d64bd7200e80
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b989e68027e87fb36227167b4e41165e98bb8dcc420d73c13b4ac55ff3e4ba5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6D1E071A0060A8FDF15CF69C841BBEB7F1BF88314F18856DDA55EB241E735E9068B60
                                                                                                                                                                                                                      Function 015665D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 59374a4862e437078dc8b9c083612d701d0b8a6f9f921ae89dd7ba85b2ea57b3
                                                                                                                                                                                                                      • Instruction ID: 25e28fd5ea9e215463a2a6b95a31b88b0f184b18fd2851f3551cc433c7456b83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 59374a4862e437078dc8b9c083612d701d0b8a6f9f921ae89dd7ba85b2ea57b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E0E18D71608342CFC715CF28C490A6ABBE5FF89314F058A6DE9998B351EB31E905CBD2
                                                                                                                                                                                                                      Function 01558397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c76868dddefa7acbed53d30257a19d9dec35246c197641b62e98dc6542093922
                                                                                                                                                                                                                      • Instruction ID: 1a91519db629a1f8d3b43620d6a58868a0ebf31af133ee2b0797fa33c53e7521
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c76868dddefa7acbed53d30257a19d9dec35246c197641b62e98dc6542093922
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08D1D171A00607DBDB54DF6AC8A0ABEB7E5BF94304F14462AED16DF280E770E951CB60
                                                                                                                                                                                                                      Function 015E8243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                      • Instruction ID: 786808ca1394038f45f69e3ac0c4ce7ed72f037f6d1bbd54b7d51295eb728327
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ABB14275E00605AFDF29DF99C948AAFBBF9FF84304F14445DAA429B790DA34E905CB10
                                                                                                                                                                                                                      Function 01570535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                      • Instruction ID: f98eb6dbee686b853d60d31687f9743a9260fd0ca6b19956bf62f4ac86408ffb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8EB10331604646AFDB25CFA8C861BBEBBF6BF85600F180559E652DF381DB30E941CB90
                                                                                                                                                                                                                      Function 015683C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 715e8e10ed5551336283e810b7ae363ddda76cc0d435eee0d2010ff3734f86bb
                                                                                                                                                                                                                      • Instruction ID: b948d2c9618f3c016c355b5927050251d2ac0d354f1e8571ebde9aa8bf73e66b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 715e8e10ed5551336283e810b7ae363ddda76cc0d435eee0d2010ff3734f86bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C5C16974108341DFD760CF18C494BAEBBE9BF98704F44491DE9898B291E774E908CF92
                                                                                                                                                                                                                      Function 0155C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a7cf020ab134c3033651e316ac12aaf3536524951d5c11454e9aa54626fcb5fa
                                                                                                                                                                                                                      • Instruction ID: 6b13aa14a1cd5cd18749749f55f080190d8a674e6486e54e6d1ed67718e7940f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a7cf020ab134c3033651e316ac12aaf3536524951d5c11454e9aa54626fcb5fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93B17270A002668BDB65DF58C890BADB7F5FF84704F0485EAD90AEB241EB70DD85CB21
                                                                                                                                                                                                                      Function 0158E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 14abc2e5355fa6fd192cdf38f85b5406786221bf4fd68bdccb863c1f52a4a73d
                                                                                                                                                                                                                      • Instruction ID: 88cfd92fdd7a1309ba282ec263e47de5c1ec66b6973a8e38b9e760a929364007
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 14abc2e5355fa6fd192cdf38f85b5406786221bf4fd68bdccb863c1f52a4a73d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22A11731E00256AFEB21EF98DC49BADBBB5FB40B54F05012AEA11BF291D7749D40CB91
                                                                                                                                                                                                                      Function 015A0185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c460233171f0cef8c3b71f15f9a01ad774be7a15213676423ae4dc8eef46adca
                                                                                                                                                                                                                      • Instruction ID: db1da8236a6da765a0b1e972192daceee98cc83297e752b9d22fb12a7872fda4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c460233171f0cef8c3b71f15f9a01ad774be7a15213676423ae4dc8eef46adca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0A1BF70B507169BDB25DF69C890BAEB7F1FF54318F40402AEA059F282EB34E811CB90
                                                                                                                                                                                                                      Function 01634500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7661c5dd63cc96b28975e309d32522b529a6060f0ff5f13bc414e1b199d14805
                                                                                                                                                                                                                      • Instruction ID: c08fcb514d26c261d420bb50f6f1fd74c3e1bcf404339bcd3d550c57d14022f4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7661c5dd63cc96b28975e309d32522b529a6060f0ff5f13bc414e1b199d14805
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4EA1CD72A14212EFC722DF28CD80B6ABBE9FF88714F450628E5859B750DB34EC01CB91
                                                                                                                                                                                                                      Function 01632B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                                                      • Instruction ID: 01da1e5217013d337a85837cba05e7efd87480c0c008ab505624a41b955be45e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AB11871E0061ADFDF19CFADC890AADBBB5FF88310F148169E915AB354D730A945CBA0
                                                                                                                                                                                                                      Function 015E60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 78defb37e9c3f35aaf2d0bc41cbe5bf3cb6bb30563e25bbedab99a13e05bcc71
                                                                                                                                                                                                                      • Instruction ID: 5a2b5d35be591a132a4abcaf4e80738cca4a9622d644795349b5945ed224fc10
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 78defb37e9c3f35aaf2d0bc41cbe5bf3cb6bb30563e25bbedab99a13e05bcc71
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F919E71E00216AFDB19CFA8D888BAEBFF5BF58750F154169E610EF241D734E9009BA0
                                                                                                                                                                                                                      Function 0157E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 609eb8a085cb5bc51966b4c8d100d98154d4c001d967034e47dbfaedc732cbed
                                                                                                                                                                                                                      • Instruction ID: 87b7057b66f3dfafb03083a759a63dd09ef3c2754e08dcb1c755e5fefaa664c8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 609eb8a085cb5bc51966b4c8d100d98154d4c001d967034e47dbfaedc732cbed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE910431A007168FEB24DFA9E846BBE7BE2FF94B14F0545A9E9059F240E734D901C761
                                                                                                                                                                                                                      Function 015B6ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8a83f88f255cb838bb31cb4789f9a201b964b3e52fe60bb01601390847093f11
                                                                                                                                                                                                                      • Instruction ID: 4fa021918af490e06a8ab625b395a1aac8e2f59db328df26dd4092e69234a2b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8a83f88f255cb838bb31cb4789f9a201b964b3e52fe60bb01601390847093f11
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 37819471A0061A9FDB18CF69D990AFEBBF9FB48700F14852EE555DB640E334E940CB94
                                                                                                                                                                                                                      Function 0162AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                      • Instruction ID: fd17895581cba898df2e827dd63696c4be0ad3aeab20ce465876c8df9c93a740
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8818172B00A169FDF19CF98C890AAEBBB6BF84310F18856DD9169B785D774D901CF40
                                                                                                                                                                                                                      Function 0159E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f5f33bc6c79e42e4dcdc9e989fb75a59857f1400d1e25a7ea47f4395375d525f
                                                                                                                                                                                                                      • Instruction ID: d7ed7dd021995e568abee458ed85b8c21ad20777e912067849d48a9628adbe24
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f5f33bc6c79e42e4dcdc9e989fb75a59857f1400d1e25a7ea47f4395375d525f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F816F71A00609EFDF25CFA9C881AEEBBF9FF88354F104429E555AB250D730AC45CB61
                                                                                                                                                                                                                      Function 0157C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 812b4e85d06fe129f3a4223587b1ce2163f6507d02df33b556212c63043d22ea
                                                                                                                                                                                                                      • Instruction ID: 97a09adaa7156b78b35c757f5c3f87044d20064752b9dfc25f05f103addfc299
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 812b4e85d06fe129f3a4223587b1ce2163f6507d02df33b556212c63043d22ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F37189759006669FCB25CF99E8916AEBBB5FF58B10F14455EE942AF350E730A800CBA0
                                                                                                                                                                                                                      Function 016147A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d4f0fb11a92726cb513352396ee91b1757f301a53bd6c1cb875845e3b1c4f880
                                                                                                                                                                                                                      • Instruction ID: 24411570e23c966b294736ccbfba1573eba7ba1447d0d2a40a234c069f747576
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4f0fb11a92726cb513352396ee91b1757f301a53bd6c1cb875845e3b1c4f880
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD717F72900305EFDB20CF59DD41A9ABBF9FB80300F59565AEA11AB26CCB318941CB54
                                                                                                                                                                                                                      Function 0157260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3583738261936e8e14072b638efc96cea4603131a78effa6ecb7400211c320cf
                                                                                                                                                                                                                      • Instruction ID: 269188adfcfbf34130bcdcfd51b13aaea0b2f227a9c0278c13fc61191b9c8561
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3583738261936e8e14072b638efc96cea4603131a78effa6ecb7400211c320cf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F71BE356042428FD312DF6CD481B2AB7E5FF88710F0885AAE899CF356DB38D946CB91
                                                                                                                                                                                                                      Function 015E035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                      • Instruction ID: 825f45e5e845fc1f6b53fecbfbabdad94c9d1b383176de17c153d21256cab170
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12715C71E0061AEFDB14DFA9C984A9EBBF8FF98710F104569E505EB290DB74EA01CB50
                                                                                                                                                                                                                      Function 015F62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a1291fe122d32b2fcd3a1c14f4afe8e094bcab4d2acaa76a39182757f1144e3a
                                                                                                                                                                                                                      • Instruction ID: ed465aaf2b8380340d980c865d769367b3161376af9852fa4933e870544a6403
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1291fe122d32b2fcd3a1c14f4afe8e094bcab4d2acaa76a39182757f1144e3a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E71B032240702AFE722AF18C899F5ABBE6FB84720F14491CE7568F6E1D775E944CB50
                                                                                                                                                                                                                      Function 01638324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 344636bb66aa61c2a62f24f96f565054db0634e9280b672dafe7925c7d48dddd
                                                                                                                                                                                                                      • Instruction ID: 5e3244ffa509d340013e613cb28e26c64659a48cc1377c93e5d8cea8f58ee3fe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 344636bb66aa61c2a62f24f96f565054db0634e9280b672dafe7925c7d48dddd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D71F971E4020AAFEB15DB94CC41FEEBBB9FF44360F104269F615AB290D774AA05CB90
                                                                                                                                                                                                                      Function 0161A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 517d3e2f59cbbc1ecca56b0551360af2d1b19a7b55f5b0181057547a1369a68c
                                                                                                                                                                                                                      • Instruction ID: 7628bbb46dd3bc3084dd9c1a9ecad6d0f2235ddf8bef8c05beda0a9c89021b0a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 517d3e2f59cbbc1ecca56b0551360af2d1b19a7b55f5b0181057547a1369a68c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B251DF72546692AFD711DEA8CC44E5BB7E8EBC4710F080929BA40DB254D770ED05C7A2
                                                                                                                                                                                                                      Function 01608350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bb49141230b6c2c6d113a397b139dd12af7eadb613f87a1589988fd022cf7c9a
                                                                                                                                                                                                                      • Instruction ID: 66575f31b09289964b87c31fab6abef1d2377d3ac8942aa232db42835eb774df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb49141230b6c2c6d113a397b139dd12af7eadb613f87a1589988fd022cf7c9a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F351AE70900B05DBD72ACF9AC880A6BFBFDBF94710F104A1ED292576E1C7B0A545CB90
                                                                                                                                                                                                                      Function 0159E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 1aa127e6616985373dc0f4d3a570966cdf1da68887c2365b3b20db92c0decc45
                                                                                                                                                                                                                      • Instruction ID: 8b238cc4a619b802c3a15c24904b8d657e5bbd4f8baac696fbb972bcb6d4e936
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1aa127e6616985373dc0f4d3a570966cdf1da68887c2365b3b20db92c0decc45
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B6518C71200A06DFDB22EFA9C981E6AB3FDFF54754F40086AE5469B660E730ED40CB52
                                                                                                                                                                                                                      Function 01604180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 077fc71c4334844da9fd8333b7c7657496273a54d2d2cc31a73844760d633d8c
                                                                                                                                                                                                                      • Instruction ID: 42adc72c3c1f872f529211fbf38e79e75c08a5ca6deee0c07db657c83b153093
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 077fc71c4334844da9fd8333b7c7657496273a54d2d2cc31a73844760d633d8c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31514A716083429FD769DF2AC881A6BB7E5BFC8214F44492DF689C7390EB30E905CB56
                                                                                                                                                                                                                      Function 015845B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                      • Instruction ID: 290d00d1c3083b3899b72d29dfe9a57213b350d3097decebd6e868afcbe2915c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A514971E0021BABDF15AFA8C441BAEBBB9BF45754F04406AEA01FF240E774D945CBA0
                                                                                                                                                                                                                      Function 015EE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                      • Instruction ID: a4a0373efa0226bebc2f3123ceb5e7a7989425413d30da7b3e29a1957f5914fa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF51E831D1020AAFDF259F94C88ABAEBBFDFB40314F104669D5126F190E7709D4587A0
                                                                                                                                                                                                                      Function 01628B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b5486f6a81de74536b41bc958f4afeb9282c56d5a61a7e926575f502ffa1ac7
                                                                                                                                                                                                                      • Instruction ID: c538ee03cc9b4190a902f9feead270b44e975dc574b3b133dcc5359b06cf5b27
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b5486f6a81de74536b41bc958f4afeb9282c56d5a61a7e926575f502ffa1ac7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6641A071701A229BDB29DB2DCC94B7BBBDEEF90261F08861DE95587381DB34D801CA91
                                                                                                                                                                                                                      Function 015ECBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 96a8566dccb5512245740f19fa3adbbecb79d4a0503ac9c48f071dcb95278c59
                                                                                                                                                                                                                      • Instruction ID: 3571b7decdc7eda96b1b4b72b3c439717084fd9423ff5733c874e4a3c6f11d28
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96a8566dccb5512245740f19fa3adbbecb79d4a0503ac9c48f071dcb95278c59
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1251BA72E0021ADFCB24DFA8C9949AEBBF9FF88254F514519D556AB300D732ED11CBA0
                                                                                                                                                                                                                      Function 0159A430 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ce87986812e7a7fdaed65f9cb91ef02bae91f2d7ee4d6751c957fd05c3d0fa0b
                                                                                                                                                                                                                      • Instruction ID: 8145561d35e13d3e4d69cd99c452009907f23cce6e87ae9cbdba9eed3ffe5f44
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce87986812e7a7fdaed65f9cb91ef02bae91f2d7ee4d6751c957fd05c3d0fa0b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4641DE31740302DBDF25EF68AC81B6E37A5FB94758F41542DE90A9F241EBA19811CBA2
                                                                                                                                                                                                                      Function 0162A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                      • Instruction ID: 0a268a7d1ddf51dc1932dfca09770548fde1ecca7c735c7a3bb7801f2c29eda6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6141C871600B269FD725CF98CD84A6AB7A9FF80314B05462EED528BB40EB70ED15CF90
                                                                                                                                                                                                                      Function 015901F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 007a617bf5cd7bb7574fa0269e8167a53f402680a44a08400962051f59bdf6db
                                                                                                                                                                                                                      • Instruction ID: cfa5eb24b68084c15069286af7922a5b06c0f1eddcc7a2494bfb77e526feab9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 007a617bf5cd7bb7574fa0269e8167a53f402680a44a08400962051f59bdf6db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E418E3590021A9BDF14DF98C440AEEB7B8FF88710F14855AF915EF290D7359D41CBA6
                                                                                                                                                                                                                      Function 0158EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b2f7e5c722b451637af595efa8951d2dcd2a19f9fae3ac92c0a7b8e74605a4b0
                                                                                                                                                                                                                      • Instruction ID: 56e3f654aabd8af84e87b9fff8026d977244da3679c525ecb05301331e502f30
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b2f7e5c722b451637af595efa8951d2dcd2a19f9fae3ac92c0a7b8e74605a4b0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F41C2716043029FD724EF68C885A2BB7FAFF88224F04482EE957DB611DB71E844CB51
                                                                                                                                                                                                                      Function 015A2750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                      • Instruction ID: d66b884dc5fbfc0676c7ed0c553ca7b624e6d9cf1d6693ada9db3306caa8c3f9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02515C75A00215CFCB25CF5CC480AAEF7B2FF84724F2881A9D915AB355D770AE81CB90
                                                                                                                                                                                                                      Function 01566154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bb992a9b569ff913109ba0c446119d7983098b12e30d0f7d6336bf5ae5c9f94e
                                                                                                                                                                                                                      • Instruction ID: a6abccd06f07f78a79f8b43a31f029e0b5391e577bf8e5df7be647a0b988988d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb992a9b569ff913109ba0c446119d7983098b12e30d0f7d6336bf5ae5c9f94e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D951DF70900257DFDB258B68CC00BADBBB9FF51314F1482A9E529AF2D1E734A981CF80
                                                                                                                                                                                                                      Function 01560BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 79efcd19b62da627a19207e90e55202286043b0c5adcfe692f8b9349ea0e3743
                                                                                                                                                                                                                      • Instruction ID: 1a0d5d71f92de1e9b0346d320e5583156cc1e9d2343b9c181b5db4ee10871d50
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79efcd19b62da627a19207e90e55202286043b0c5adcfe692f8b9349ea0e3743
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F41A671A402299FDB21DF68C941BEEB7B8FF85740F0504A9E908AF281D774DE81CB91
                                                                                                                                                                                                                      Function 0162866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                      • Instruction ID: 797d5f5c1bb292b01d1c2ecd942c4a23543e7d229f33daf869008f3c92a3db9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21418575B00525ABDB15DF99CC84ABFBBFEAF84650F144069E90497341D774DD01CBA0
                                                                                                                                                                                                                      Function 01560887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 04395d5e38f50a2460e918cf90329e6876da6e3a149f701a59fb640fe99afa5d
                                                                                                                                                                                                                      • Instruction ID: ad64ecbe6fff8deae387968448de63a8a71699538b25cc1a9dba4888080b4509
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 04395d5e38f50a2460e918cf90329e6876da6e3a149f701a59fb640fe99afa5d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4441A1B16007029FE725CF28D890A26B7FAFF89314B144A6DE5478FA91E730F845CB90
                                                                                                                                                                                                                      Function 0158A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 95603395a207fe48f450a53462d8762717ff6fc2010e122bb20609ebbfbccb12
                                                                                                                                                                                                                      • Instruction ID: 05c90f8c5f684a65ae61328cae862da0ae7a0a8550b56d07dfb54d1135e63595
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95603395a207fe48f450a53462d8762717ff6fc2010e122bb20609ebbfbccb12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D041BA32A40205CFDF21EF6CD9957AE7BB0FB98660F04059AD411BF295EB349990CBA0
                                                                                                                                                                                                                      Function 01568BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9d1ced6aa14015365479ea68b5883d2a9cb58e482761d035714ffd65f728eb3e
                                                                                                                                                                                                                      • Instruction ID: 9ae36a97a0021d89a897af7d5b0c7dbb2e4494c1e845de1661d05c5347c87481
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d1ced6aa14015365479ea68b5883d2a9cb58e482761d035714ffd65f728eb3e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4141BE72900302CFE724DF5CDC80A5ABBB9FBD4614F24856AD9019F259EB759882CBE0
                                                                                                                                                                                                                      Function 01558918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 65cb53e9c2ec2ca544f1203299dc88a7f78fda8cb4cb12856a3577053a5b1cd1
                                                                                                                                                                                                                      • Instruction ID: fa08e2ab0a6fef32c5887173d1c69b4c832e47b68fdb7206e88beb1c4eb10ed4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65cb53e9c2ec2ca544f1203299dc88a7f78fda8cb4cb12856a3577053a5b1cd1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F24129315187069EE312DF69C891A6BB7F9BF84B54F40092BF984DB250E770DE058BA3
                                                                                                                                                                                                                      Function 0155A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                      • Instruction ID: ce2cf26e246d96824f02ee376e552302bec780c970e571b85c4b25618f0be502
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39412531A00212EFEB21DE6984A07FEBBB1FB90764F15816BED558F240D6728D80CB90
                                                                                                                                                                                                                      Function 015609AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cf3ed1f8ce9ef6b24f08d20d528b3f4bd9d147d9a957a4b2d0ed22a8c0e92877
                                                                                                                                                                                                                      • Instruction ID: 5b874afcd5356d8e2e99cc7f1a5e37e9f45cb290538dd1e2157a9d3aeae786c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cf3ed1f8ce9ef6b24f08d20d528b3f4bd9d147d9a957a4b2d0ed22a8c0e92877
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 44417971640702EFD721CF18D841B6ABBE9FF94354F248A6AE449CF291E770E942CB90
                                                                                                                                                                                                                      Function 01590710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                      • Instruction ID: 6ce6b52404f2d521b49c53ad1e155b03968768d99e7266391721c7f38d43434c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14411671A00605EFDB24CF98C980AAEBBF9FF18710B10496DE556DB691D330EA44CF91
                                                                                                                                                                                                                      Function 0156262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 71de5ad07a700c1b20a58c49941f087c4b11fa0ff576d5023d8f01ea34f0c9bc
                                                                                                                                                                                                                      • Instruction ID: b441f86dd8a4be5a513a4521a81afe1538d04010cf2961e1e6cf75c99a61c625
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71de5ad07a700c1b20a58c49941f087c4b11fa0ff576d5023d8f01ea34f0c9bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB41A171501702CFCB61EF28DD40A69B7FAFF94314F1586AAC4069F6A1EB34A941CF91
                                                                                                                                                                                                                      Function 0159C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 21513a8efec3ce0d6c7176ae71e591055904daba8ad6c638735db82901b6f8c4
                                                                                                                                                                                                                      • Instruction ID: 12c72870a18ca9ef8473e3dfb6af1148c7622773f29018cc383f3f18974807e4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 21513a8efec3ce0d6c7176ae71e591055904daba8ad6c638735db82901b6f8c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF3179B1A00346DFDB11CFA8C440B99BBF0FB49714F2085AED519EF251D3769942CB91
                                                                                                                                                                                                                      Function 015E07C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 426e1cfdaf2a89b926b69a5a9f37953b64deccb0ffa18fc85e3357b3fe49c159
                                                                                                                                                                                                                      • Instruction ID: 1020a6fb5d23b58f9f874d4bcdf64aea69440b0cfa702d782bc0824f32ed0f2e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 426e1cfdaf2a89b926b69a5a9f37953b64deccb0ffa18fc85e3357b3fe49c159
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB418272A083159FD760DF29C845B9BFBE8FF88654F004A2EF598DB291D7709904CB92
                                                                                                                                                                                                                      Function 015580A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 55f4f675e76edc0341272126136b7f6bfe58cf8a1708ccc312ad3cce6f49ee42
                                                                                                                                                                                                                      • Instruction ID: 947bec28c6e3ca742537e6d06c9f1b2467b67fd3d6dd0dd283be727ca9df48f0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55f4f675e76edc0341272126136b7f6bfe58cf8a1708ccc312ad3cce6f49ee42
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2341F471A056169FDB41DF5ACC906ACBBB1FF84760F14862ADC16AF290DB30ED418BD0
                                                                                                                                                                                                                      Function 015E05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ea2d468b5c010a779e1e082b7b13af64c02049611534f735aad9ba8b4e45f6bc
                                                                                                                                                                                                                      • Instruction ID: 56456efccd37bbe6e37302031d3e0cd3bb8488c581b2a9036278212da7c89f2e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea2d468b5c010a779e1e082b7b13af64c02049611534f735aad9ba8b4e45f6bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA41E372A047529FC324DF68D844B6EB7E9FFC8700F140A19F9549B680E770E905CBA6
                                                                                                                                                                                                                      Function 01564859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6ffd85c6963e5e0829202760e52916c4e711c7a08c468dc31ee220ab93d98355
                                                                                                                                                                                                                      • Instruction ID: 7795c0d77af3e48e50ce5147fdb2e6382d0d8cd0ce29ad0eabb24a49625811af
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ffd85c6963e5e0829202760e52916c4e711c7a08c468dc31ee220ab93d98355
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E741AE702503028BD725DF28D894B2ABBEEFF80764F14492DEA458F2A1DB30D951CB91
                                                                                                                                                                                                                      Function 01558B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ad2ae5c2457fedd745465a3bfee62044dfbb72fd9cfc6dcd687511342bc01862
                                                                                                                                                                                                                      • Instruction ID: b36909e785fa76ea5bc9a0600d02dd4ed334f085a0378f0cdd490431f5d80277
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad2ae5c2457fedd745465a3bfee62044dfbb72fd9cfc6dcd687511342bc01862
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED415071A01605DFCB55DF6AC9909ADB7F1FF88320B14862AD866AF260D734A941CB50
                                                                                                                                                                                                                      Function 015702E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                      • Instruction ID: 463d96963cc9601ddf8b37636a0f17a9e9ab7dffc4d37246590735fb785b3722
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D310431A04245AFDB218BA8CC81BAFBBE9FF55350F0445A6F815DB292D2749844CBA0
                                                                                                                                                                                                                      Function 0160E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3fd1facd36343bac1b1c941f1e6f0f5fb652c30ac85df60714da061c7b099dc9
                                                                                                                                                                                                                      • Instruction ID: baaf1b9230f2cbdc92d8ccb318e9eb40bf57872cafba58cb510fa166a34e9d62
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3fd1facd36343bac1b1c941f1e6f0f5fb652c30ac85df60714da061c7b099dc9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA31B431B51716ABD726AF658C41F6F7AA8BB98B50F010468F600AF3D1DAA5DC0187A0
                                                                                                                                                                                                                      Function 01614B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 82f0b1e0269a9db0b2b47ed0100b7c9f2647cda86570eed1fa3cd3cc5f0fc748
                                                                                                                                                                                                                      • Instruction ID: 0bcd1c3cf25154c35d4a5d6d760a4a0d2b895639d330583b845033a0c3d7a78e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82f0b1e0269a9db0b2b47ed0100b7c9f2647cda86570eed1fa3cd3cc5f0fc748
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D31CF322052028FC321DF19DC80E26B7E6FF81360F5A456EE9998B369DB30A811CF91
                                                                                                                                                                                                                      Function 01564260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cc898e9d0f820cdf5a1e71e60bff69660dd74f599c28e5dc4ed80aa93d334da8
                                                                                                                                                                                                                      • Instruction ID: 29df797677a8ea211ae67146331999cf4334ae269fe85c043d2737ea4df9d988
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc898e9d0f820cdf5a1e71e60bff69660dd74f599c28e5dc4ed80aa93d334da8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C641B335200B45DFD722DF68C981BDABBE9BF44714F00481DE69A8F290D770E844CBA0
                                                                                                                                                                                                                      Function 01614BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c33fd79ea8b216ffebd37f84b60a9b99c9eb372cea44012b52a68c3ead51e42a
                                                                                                                                                                                                                      • Instruction ID: ddaee9c68cc97086da34a3cfefad652a339ed1faf6274561996f513ce48cf47c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c33fd79ea8b216ffebd37f84b60a9b99c9eb372cea44012b52a68c3ead51e42a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C317C716043028FD320DF29DC80E2AB7E5FB84720F09496DE9559B399EB30E815CB91
                                                                                                                                                                                                                      Function 015DEB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 83570e362b9fc214ca516bf35e81c5c62b6a2890369da2210fa53123af489c43
                                                                                                                                                                                                                      • Instruction ID: d176093450f61f73fa6e6dbe13feb3a351d1942e5b6f87dfa8445ad37b9c6bb5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83570e362b9fc214ca516bf35e81c5c62b6a2890369da2210fa53123af489c43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA31C1317016829BF336575CCD4AF297BD8FB80B84F1D04A4AB459F6E2DB68E841C321
                                                                                                                                                                                                                      Function 016261C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 49eaf108027a3ed97ad8738e461011d5906cf191d1405571a1971e033d18b0f4
                                                                                                                                                                                                                      • Instruction ID: 449cb689712b34189fd8281f5b2e90ef953c668286d8ef069d909167d2ce8079
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49eaf108027a3ed97ad8738e461011d5906cf191d1405571a1971e033d18b0f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B31E475A01666EBDB15DF98CC40BAEB7B5FB45740F458168E900AB244D7B0ED01CBA0
                                                                                                                                                                                                                      Function 0160483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c6daee1465ee8f8d5f9a824a2bf98377eb672678a9d361cb0beae1679e2ccd6c
                                                                                                                                                                                                                      • Instruction ID: e6a2dfbdae5aaa9d5dc166ba9c658bbb2217b69516fffced28d1ef21a1f37736
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6daee1465ee8f8d5f9a824a2bf98377eb672678a9d361cb0beae1679e2ccd6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52313476A4012DABCF36DF54DD84BDEBBBABB98350F1500E5A608A7250DB309E518F90
                                                                                                                                                                                                                      Function 0158EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3545fa2ca5f9cfd9dec29bf5804edddb04bbac88a523a375d8a1a2857652caa6
                                                                                                                                                                                                                      • Instruction ID: b11cc617e9ebaa8a68bde59393978f4c22a6b281442c88d7269a59a6d3425887
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3545fa2ca5f9cfd9dec29bf5804edddb04bbac88a523a375d8a1a2857652caa6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E31A772E11215AFDB21EFA9CC41AAEBBF9FF48750F11446AE515EF250D6709E008BA0
                                                                                                                                                                                                                      Function 016260B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6ded4339f4c2000a1b95ff31ee40adf02a1918bb6f3d3a6e2a3f6907d083e1d2
                                                                                                                                                                                                                      • Instruction ID: 39924ded4b166ae4bd571abb6584bd1b8a185bd5592e0f6ad4026a7e575ecfa1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ded4339f4c2000a1b95ff31ee40adf02a1918bb6f3d3a6e2a3f6907d083e1d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7931C471A00A26AFD7129FADCC50B6EB7B9BF44754F204069E905DB352DB70EC01CB90
                                                                                                                                                                                                                      Function 015607AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9874fb4e157e7728355a274b7737f15246652e64ae329c952639e80f14c5719b
                                                                                                                                                                                                                      • Instruction ID: 9c59ba580e4dbdbb3160c267436637a4ad0fafadf7c2a8b8c9dc8ba897b16096
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9874fb4e157e7728355a274b7737f15246652e64ae329c952639e80f14c5719b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7031A032A04612DBC752DE28C890AAFBBE9FFD4660F054929FD55AF390DA30DC1187E1
                                                                                                                                                                                                                      Function 01568550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b5b1c2033801f4c1e2ade86a0be7bcea3a3dfccac569a5680403e12182267a24
                                                                                                                                                                                                                      • Instruction ID: 717e2ef692c2cfa5c89e87a71ef50112632f10277665e3b012919e2d29507a0f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b5b1c2033801f4c1e2ade86a0be7bcea3a3dfccac569a5680403e12182267a24
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6318D716093029FE720CF59C840B2AFBE9FB98B00F05496EE985AB351D770E944CB91
                                                                                                                                                                                                                      Function 0159A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                      • Instruction ID: dac3fd77f4232448fc074a009c2bc7fc57409ea4128633f6c4bd849be6a95dd8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EC313EB2B00701AFDB61CF6DDD42B5BBBF8BB48650F04092DA59AC7651E630E900CB61
                                                                                                                                                                                                                      Function 0160EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 12df0e34c4c31042ff7e546ec1f5ca4fd2857d90a9c37eed0109671a7a67d447
                                                                                                                                                                                                                      • Instruction ID: 52ff13ceea3b871673467d4ec29978cb3d3e2e890aad30a3ac9e25b2b511c8c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12df0e34c4c31042ff7e546ec1f5ca4fd2857d90a9c37eed0109671a7a67d447
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5431BAB1605312CFC71ADF19C94091ABBF2FF89614F444EAEE8989B391D332D944CB92
                                                                                                                                                                                                                      Function 0158438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 416bde748b266c783a4f69512e980862d6c49e0c8e41f2eb7fa9a28a106c5474
                                                                                                                                                                                                                      • Instruction ID: 86e18a73fb6066941b4467b00a515847dd8cb418978d88cb8b2c9a24a6ae4d5e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 416bde748b266c783a4f69512e980862d6c49e0c8e41f2eb7fa9a28a106c5474
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F31C271B002079FD720EFB8C981B6EBBF9BB84744F10852AD956EB664D730D945CBA0
                                                                                                                                                                                                                      Function 0155CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                      • Instruction ID: eabdcf87d3b340a50d93a7c2093f7f9b2d94a330a1e8c69fbb7b828515b525e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C21F236E0125BAADB109BB9C851BEFBBB9BF54750F0584369E15FF340E270D90087A0
                                                                                                                                                                                                                      Function 0155C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6a91418cc57113e0c94146c881a955a416767ec9ddbe7fdd270e6dd848f7b624
                                                                                                                                                                                                                      • Instruction ID: 1b194a2d2359f1f558f9de1eeff1d7cf50b255b639f84c9766f99c47efc849ba
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6a91418cc57113e0c94146c881a955a416767ec9ddbe7fdd270e6dd848f7b624
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C310B725003118BD721AF68CC91BED77B4FF91318F5481A9DD859F342EA74D986CBA0
                                                                                                                                                                                                                      Function 0161C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                      • Instruction ID: 9be9dc8b062aa843f9e873b812057af6e6c18f7b8d279f5cbb90c10245f01c5a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD212B3A680653AACB15ABA58C00BBEBBB5FF80710F44C01EFA958B691E734DD40C360
                                                                                                                                                                                                                      Function 0155E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ae1ccd30052633f363fad7a80c1e8437aea28080853cfd225a508e5869103607
                                                                                                                                                                                                                      • Instruction ID: c76749b93219ca3a9766a295d83d1102fcfcb4d12604d1a14466fe0506b31750
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae1ccd30052633f363fad7a80c1e8437aea28080853cfd225a508e5869103607
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D31D331A00129DBDB219A18CC52BEEBBB9FB55740F0004A2EA45AF290D6B49F808F90
                                                                                                                                                                                                                      Function 01594588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                      • Instruction ID: 0fc54cda333454823f5354c2723be1467981ed64415a151eb56fc25232d2d64a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5219175A00649EFCF15CF58CA80A8EBBB9FF48314F108569EE159F241D670EE06CB91
                                                                                                                                                                                                                      Function 015944B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7455a4fcae0d0a7fc03b9a2cd3f1f95e66ac367918be596581a0ea39a1fc0191
                                                                                                                                                                                                                      • Instruction ID: 6e2f2fd81cf001ba43c15a0dd62db280c562d2c4ead3e307348ca586ec3a10c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7455a4fcae0d0a7fc03b9a2cd3f1f95e66ac367918be596581a0ea39a1fc0191
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C2181726047469BCB22DF58C980B6F77E4FB88760F054919F954AF641D730ED018BA2
                                                                                                                                                                                                                      Function 0155E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                      • Instruction ID: 6498da2cba52a17d9df593f9d6467863ef802cea5419ac0425ea06c5cd098321
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D318831600605EFD721CB68C895F6AB7F9FF85354F1449AAE9128F291E730EE01CB50
                                                                                                                                                                                                                      Function 015DE609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: eb5ad0f34ef67aca5d8e05f518300866678e4abbf8b54ca1a6770c3044b09eb6
                                                                                                                                                                                                                      • Instruction ID: 7d3d40c5b882ef33460776b5f7900e1e9e3130636a2373061d3b0999670a5c70
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb5ad0f34ef67aca5d8e05f518300866678e4abbf8b54ca1a6770c3044b09eb6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16318B75A00206DFCB24CF5CD8859AEBBB5FF84704F158459E80A9F391EB31EA50CB90
                                                                                                                                                                                                                      Function 015E06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 91da41198d6dd57baebc81108789dae188380dfee8e7deaab841c950f7c935af
                                                                                                                                                                                                                      • Instruction ID: bb79aaedc2a803e501c04786594498e94471d0afbb4282133e5bd63e3024d023
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91da41198d6dd57baebc81108789dae188380dfee8e7deaab841c950f7c935af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC218071E0062A9BCF14DF59C881ABEB7F5FF48740F540069F941AB240D778AD51CBA1
                                                                                                                                                                                                                      Function 015E019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f411f5d4cfe60334ea67920ddacc9840f92ca953fd9942e42f4116691906eeb3
                                                                                                                                                                                                                      • Instruction ID: 306ecb7b4aa461dbbad7cf6de5fbb4a37c30923b5d45e1648ba7dab21537d11b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f411f5d4cfe60334ea67920ddacc9840f92ca953fd9942e42f4116691906eeb3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E218B72A00646AFD719DB68D844F6AB7E8FF88750F140069F904DB690D774ED40CB68
                                                                                                                                                                                                                      Function 015E0283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: de39016a89f158fd1183492f2b1d1a35e2f64cd845d426eb039ebcb7e77f5da0
                                                                                                                                                                                                                      • Instruction ID: 4526967ba3972f13898df36ab74729fb0aa7ea9b9eebbbf19c36b3d810e3d9fa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de39016a89f158fd1183492f2b1d1a35e2f64cd845d426eb039ebcb7e77f5da0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8121CF72A042469FD715EF59D848B6FBBECBFD4650F080856BD808F291E770C904C6A2
                                                                                                                                                                                                                      Function 01582835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3a251bef6be617c141ad15b214aff7791d916bd90e986c9111932ddb6cf990fc
                                                                                                                                                                                                                      • Instruction ID: 728e02f602fd8f06741da46850e296d5bb03992e6ed6543998e6c61cc5bc8adc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a251bef6be617c141ad15b214aff7791d916bd90e986c9111932ddb6cf990fc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D21DA316157869FE722676C9D14B187FD4BB41B74F180368F921AF6D2E768C841C641
                                                                                                                                                                                                                      Function 0159A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5c3d644c41b236139445f2a95fede14939ac11b5698abe66cf80cf1cb239e2a2
                                                                                                                                                                                                                      • Instruction ID: 02712981a93980f8364b6f52d8e37e6244d67ad646f2d6061fd36eac7a750da0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5c3d644c41b236139445f2a95fede14939ac11b5698abe66cf80cf1cb239e2a2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C218B75211A029FCB25DF29CD01B56B7F9FF48B04F248868A519CFB61E771E842CBA4
                                                                                                                                                                                                                      Function 0161A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 71189393ba9492d15846caf12f7b9ca8fc45602d9339ff0989d0995d6100585a
                                                                                                                                                                                                                      • Instruction ID: da4f946a8b279233166cf48ab7577f5d96a21be7fbeaf945226702233d430bbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71189393ba9492d15846caf12f7b9ca8fc45602d9339ff0989d0995d6100585a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF113672385A12BFE32296999C01F2B769DEFD4B60F190068B758CB2C8EB70DC018795
                                                                                                                                                                                                                      Function 015E0946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c6f304c7e229ba9860eb991f3ee9877bd4e929eb24fbe8a4cb5dc1486c68ad82
                                                                                                                                                                                                                      • Instruction ID: 3e8dfcaa2676654aa01c585538c1c3249a9a9104b51911c5d037adf7a857574a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6f304c7e229ba9860eb991f3ee9877bd4e929eb24fbe8a4cb5dc1486c68ad82
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1421E7B1E00359ABCB54DFAAD8959AEFBF8FF98710F10012FE405AB240D7B09941CB54
                                                                                                                                                                                                                      Function 015F80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                      • Instruction ID: 59153a9c47903c53fd236f5749bba20150c7fce7f38d30a495fbc763c9e7dcf4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 76216D72A0020AAFDB129F98CC40FAEBBB9FF88310F204859FA00AB251D734D9509B50
                                                                                                                                                                                                                      Function 01590124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                      • Instruction ID: b3865dbb3863e06d43d0da3ad5cb721f2c6ec1119e6986bd8689f38c8dcc1eea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D11E2B2600616AFEB229B54DC41F9EBBBCFF80764F100829FA008F180E671ED44DB65
                                                                                                                                                                                                                      Function 01568770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7f80770c52e258d7949590a4c820b56f1ac468ed2d4832564300637d708f4da2
                                                                                                                                                                                                                      • Instruction ID: 9c22a963778ca874825ba5d49b13d7b3b1bddf154a8e32662d5fd795a89077f9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f80770c52e258d7949590a4c820b56f1ac468ed2d4832564300637d708f4da2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1811C1317007119BDB15CF4EC4C0A2ABBEDBF8A750B1980ADEE089F204D6B2D901C7D0
                                                                                                                                                                                                                      Function 0159AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                      • Instruction ID: 8dda451841ccad4e2018f872dd085b459ae37e5bb56e90c674d3498158fc6489
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87217772600641DFDB329F49C540A6ABBE7FB94B10F14887DE94A9BA20C730EC01CBA1
                                                                                                                                                                                                                      Function 015680E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0405181e74a593dc9e46710a265e91bb3854650614decca0475b27c7958751cf
                                                                                                                                                                                                                      • Instruction ID: 0b1501769837fac09d0781234d49f272679703d240a5a5415bdbd0a81677b60a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0405181e74a593dc9e46710a265e91bb3854650614decca0475b27c7958751cf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD216D75A0020ADFCB14CF98C591AAEBBF9FB88318F24456DD505AB311DB71AE06CBD0
                                                                                                                                                                                                                      Function 0159674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e718c74d53b75cedc688d365a7a975e0d9bde3a747a8b4c917f01af69716a8e4
                                                                                                                                                                                                                      • Instruction ID: f9e37d2cacf81e40cae443a3ee56b2451932becd9ae8698e2fa4e8c5ce23c652
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e718c74d53b75cedc688d365a7a975e0d9bde3a747a8b4c917f01af69716a8e4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18216D75610A01EFDB20CF69D881F6AB7F8FF84250F44882DE59ACB650EB70B854CB61
                                                                                                                                                                                                                      Function 015F6870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e6d4ff3fa7d0c80f4cbb9f015b9434b191d1652859041ee8ea1f22bde9c8bcf5
                                                                                                                                                                                                                      • Instruction ID: fd70c79565f4fefc29aee98546c79b76d27fefbdbcf1946600eefcd18bd1299a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6d4ff3fa7d0c80f4cbb9f015b9434b191d1652859041ee8ea1f22bde9c8bcf5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03114C72240615AFD722DAA9DE40F9A77E8FB99B60F114029F7059F261EB70E90187A0
                                                                                                                                                                                                                      Function 0158E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 134a4a1bdd83ae135173d26610533802f5b0286c78416539bc1ffb6842146c27
                                                                                                                                                                                                                      • Instruction ID: b57e9539836f9c3b0684f8f1df9a96e5bb1bb2df79d90f73ca1382ddefb0d8e4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 134a4a1bdd83ae135173d26610533802f5b0286c78416539bc1ffb6842146c27
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F1108733041159FCB1ADF29CD86A7F72A7FFD5770F254929E9229F290EA309802C690
                                                                                                                                                                                                                      Function 015966B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ee73e13abe4353372218cca757254e54f9e75bbd4355443c729a6d9e1f997ce3
                                                                                                                                                                                                                      • Instruction ID: ecf00b3bfb6f6280e337eda67996361799835c6f3fbdb8083e8791e4b73ebda6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee73e13abe4353372218cca757254e54f9e75bbd4355443c729a6d9e1f997ce3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72118C76A012069BCF25CF59D980E6EBBE9FF94650F064079D9059F311E630DD04CB91
                                                                                                                                                                                                                      Function 0162A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                      • Instruction ID: 205231ed2210e5364b71f905416fabf1cd87cbbd74dc379082af8914bd79edf5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB11C436A10926AFDB19CB58CC05B9DBBF6FF84310F058269EC5597380E771AD51CB80
                                                                                                                                                                                                                      Function 01560AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                      • Instruction ID: 74d75d9c08d463a16f18953cdaedd1121925926e81535af85af481a0ce8f73c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9421D6B5A40B459FD3A0CF29D541B56BBF4FB48B10F10892EE98ACBB50E371E854CB94
                                                                                                                                                                                                                      Function 015EE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                      • Instruction ID: 399b509dfd99aecf64bb6b1fbc5dd5a61ac13d6262bfdb0053ad838ce1d93378
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64110632E24602EFE7299F48CC4AB1A7BE5FF81754F058428E9499F150E730DC45C790
                                                                                                                                                                                                                      Function 015827ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 527b64a3fe8223a9c7f07180ac1c5b1296fd381be914b18de7d471c664be96b2
                                                                                                                                                                                                                      • Instruction ID: afd51acde950896d22781ac9214b83186f6efabc8209b15ef11a90253419b782
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 527b64a3fe8223a9c7f07180ac1c5b1296fd381be914b18de7d471c664be96b2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D301C47160568AAFE726A6AED844F2B7EDCFF80794F050469F9019F251EA54DC00C6A1
                                                                                                                                                                                                                      Function 01564690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 47c4ca3a308b9b6ffe4bfba66f8206c2fbe19e84e3f0927fc7aee00a20270b33
                                                                                                                                                                                                                      • Instruction ID: f81dc65b9d1d85d6d395b2c94df6cd5d3f4e7b4d6e355f8f29311f9c766fa759
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 47c4ca3a308b9b6ffe4bfba66f8206c2fbe19e84e3f0927fc7aee00a20270b33
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94110E76200641AFDB21CF69D880F1A7BACFB86B64F044519F9048F240C778E841CFA0
                                                                                                                                                                                                                      Function 01634B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9f0e68c8938064ddc4059d2daf5c1cbe1adcf3012755f8d2ed6126d873caa736
                                                                                                                                                                                                                      • Instruction ID: b14d31d7b200425272ae616f8461ed86de6bf59219f86834da6008e9168f66ef
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f0e68c8938064ddc4059d2daf5c1cbe1adcf3012755f8d2ed6126d873caa736
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F11C2362006129FD726DA69DC40F66FBA6FFC4751F194429EA8387790DF30A802CB90
                                                                                                                                                                                                                      Function 01596620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 07ffc3a59453c6d75ffa6350ac27e1f5f3e6f89a107823fb1f64bc265a6ba07f
                                                                                                                                                                                                                      • Instruction ID: a1e2e5dc08d6e9a653c381780f7dc69f9ff29ed6d0f6bb28ba7638f4937cecd0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 07ffc3a59453c6d75ffa6350ac27e1f5f3e6f89a107823fb1f64bc265a6ba07f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D118E76A00716ABEB21DF69DD80B5EFBB8FF84750F540459DA01AF200DB30AD05CBA2
                                                                                                                                                                                                                      Function 0158EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 86c522320863e5df915fb86a06f40bb793941100eb92e672839e2402596df2ca
                                                                                                                                                                                                                      • Instruction ID: 9865e36b83401304f971aab6a451adea91647a73e7f8f887b79a8caa3f33ab8b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 86c522320863e5df915fb86a06f40bb793941100eb92e672839e2402596df2ca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 250192725002069FD725EF19D84EF26BBF9FBC5714F24826AE1069F260D7B0AC42CB94
                                                                                                                                                                                                                      Function 0158E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                      • Instruction ID: 5663cccb783be1e71767deb808322ce79a30cc5c9bbbeff45dd2745b356473a3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46116F312016C29FE7239B9CD845F6D7BE4FF41B94F1904A5DE019F642F328C842C221
                                                                                                                                                                                                                      Function 015EE75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                      • Instruction ID: 034cfcb061ec1726564effb3d95879a63018baae75d0bf2420e6b95fcf32b96d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB01F532A60146AFE7299F68CC0AF5A7BE9FF85750F098424EA05AF260E775DD40C790
                                                                                                                                                                                                                      Function 0155A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                      • Instruction ID: 8f1dcdd989fd44fac8f0eec6574413b5a2d7962a9db4f86c4ad4e4286c90cec8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71012631414722AFDB718F19E851A3A7BE4FF557A07008A2EFC958F281D331D400CB60
                                                                                                                                                                                                                      Function 01634940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b30282929747027e3ccae1c2787d4f859de50e71cffe12e835a5e0b1e7fafbdc
                                                                                                                                                                                                                      • Instruction ID: e7dbcd737791a3298bd897dc189ec0feb67a9c195192781953f812ab3615f34a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b30282929747027e3ccae1c2787d4f859de50e71cffe12e835a5e0b1e7fafbdc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2901CC725516129BC322DF1CDC40E12FBA8EFD1770B254265E9A89B2E6EB30E801CBD0
                                                                                                                                                                                                                      Function 015DE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f8ab2bd3bdff06ba4ad8709de612125f19d4b835baf769cacdd884943f6993e3
                                                                                                                                                                                                                      • Instruction ID: 9fc8a1dc1b0a0155580b8314f8d790b915665aff94d5fcab0c51e86e6fd7ea89
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8ab2bd3bdff06ba4ad8709de612125f19d4b835baf769cacdd884943f6993e3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F611A131241241EFDB25EF19DD91F16BBB8FF94B54F1000A5E9059F661C235ED01CB90
                                                                                                                                                                                                                      Function 01566259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fb19dc5c9d6d3f865134023d2574f653f5eedf279f561952390fcee55118c858
                                                                                                                                                                                                                      • Instruction ID: d69b02126e7b6276becaf7fb06a896bce3e6a369f8290fea9ca9057245f4cab7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb19dc5c9d6d3f865134023d2574f653f5eedf279f561952390fcee55118c858
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC115E7054122EABDB65EF64CD42FEDB278BF44710F9041D4A314AA0E0DA709E81CF85
                                                                                                                                                                                                                      Function 015E6050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 715a508a12f22e4f0f2052161c9ffd793e92f2c6a927dd532ae4a91b013ff398
                                                                                                                                                                                                                      • Instruction ID: f73cd2cb8a36021a4382e3e44b8e43bbad4966d4ddc77ac694c4bda78cbd92e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 715a508a12f22e4f0f2052161c9ffd793e92f2c6a927dd532ae4a91b013ff398
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3911177390011AAFCB15DB94CC84EDFBBBCFF58254F044166A906AB211EA34AA15CBA0
                                                                                                                                                                                                                      Function 0156208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                      • Instruction ID: c17a8f56f32bc07fdc20507cc18a9f3473f39a1803dd8b0380485abd10c8d8b1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB0124322011018BEF119A2DDCC0F9AB7ABBFC4720F1948AAED058F246DA71CC81C3D0
                                                                                                                                                                                                                      Function 015F6500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 06a2663c2b772fb4116b3d32c1b9225b5cc5339fc29a15cb7bfe5663983c3dac
                                                                                                                                                                                                                      • Instruction ID: 576443bfe9438ce9339f2b920fd8afc0132e3d9211b1e31f1107da01e45877fb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06a2663c2b772fb4116b3d32c1b9225b5cc5339fc29a15cb7bfe5663983c3dac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 711104326001469FC301CF28D840BA6BBF9FB9A304F488559E948DF315D732EC80CBA0
                                                                                                                                                                                                                      Function 015EC810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9ea9dbeb14bb41ea7f5052c679fe1365442c39f7fc28bc57fd5cf9b5e918a5b7
                                                                                                                                                                                                                      • Instruction ID: 203fde5e0fe1a5c04e8b595ba88aa8267f109fb00854890832bcf0f5e58976f4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ea9dbeb14bb41ea7f5052c679fe1365442c39f7fc28bc57fd5cf9b5e918a5b7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4E11ECB1E0020A9BCB04DF99D545A9EBBF4FF58250F54406AA905EB351D674EA018BA4
                                                                                                                                                                                                                      Function 0160EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ba75448d591e3d4be12294b56b22232d60b03fb8457643d3948eb4204473d7c1
                                                                                                                                                                                                                      • Instruction ID: ddabe5dbd14b142f44c37a5a94e25f3e75522d261bfe550bbe9928576368b1f4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba75448d591e3d4be12294b56b22232d60b03fb8457643d3948eb4204473d7c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 730192315402229FC727AA159C40D37BBAAFF96690F04482AE9555F391C722D881CB91
                                                                                                                                                                                                                      Function 0155C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                      • Instruction ID: 163f810ac8ecc9db29b299f677cbc085a394d624bd6aabe26d6c8a17add5ca13
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A801B5321007069FEF6297A9D840EABB7FDFFC5354F04481AA9468F590DA74E401CB50
                                                                                                                                                                                                                      Function 015A20F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ac5fd65cd9d95345c51dcd30978b4965019b61e67ee211d2c6e2473e3cd967b6
                                                                                                                                                                                                                      • Instruction ID: bc669570324c344643bfaf022c44df91472f4c14f97ca28939f8d5c17afc1b6b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac5fd65cd9d95345c51dcd30978b4965019b61e67ee211d2c6e2473e3cd967b6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8116975A0020EEBCB15EFA8C851EAE7BB5FB84280F004059EA159B290DB35AE11CB90
                                                                                                                                                                                                                      Function 0159E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6ac912df475320fb98b24404e516c7278c34b9553c743b5fbf2cafe2d53a1195
                                                                                                                                                                                                                      • Instruction ID: 732959a7334494c9e1ab526ffb2743b3ee0ec4bd5bad7c6cf82cc434edce0536
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ac912df475320fb98b24404e516c7278c34b9553c743b5fbf2cafe2d53a1195
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C2018F71211A02BBD351AB7ADD85E57BBACFFD56A4B000629B5058B651DB24EC01C6E0
                                                                                                                                                                                                                      Function 015F69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8eac87120409ec7f4d75f2510424d19a3804c925507e1283e5661c211c2dc3c4
                                                                                                                                                                                                                      • Instruction ID: 67b4eb0ae6d12aa045249ede94fff4456655c919c03e48eba27c17d8dc9d3f67
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8eac87120409ec7f4d75f2510424d19a3804c925507e1283e5661c211c2dc3c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8101FC32224302DBC320DF69D84896BFBE8FF94660F51462DEAA98F180E7709955C7D1
                                                                                                                                                                                                                      Function 015EC460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 385e9b39ec3ee558aa59df828a809d9771ebad2ccf7fedae863fbec334a1463a
                                                                                                                                                                                                                      • Instruction ID: 89d1e5b01e707e813e2ecc413639f527b9ae8e08477467afb390aa2661416018
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 385e9b39ec3ee558aa59df828a809d9771ebad2ccf7fedae863fbec334a1463a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B1115B71A0020AEBDB19EFA8C844EAE7BB6FB88250F004059B9019B340DB35EA11CB90
                                                                                                                                                                                                                      Function 015EC97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1b3a80a33ec105bf31bdfaf541f95d741987241ee1e6569f894d1be15b1aa2b0
                                                                                                                                                                                                                      • Instruction ID: 196e9ee16038050cf2e6005aabeccfdbcf27b221bef2d45f638dac4c5ceb6d9c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b3a80a33ec105bf31bdfaf541f95d741987241ee1e6569f894d1be15b1aa2b0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B51179B1A083099FC700DF69D84695FBBE4FF99310F00491AB998DB391E730E900CB92
                                                                                                                                                                                                                      Function 015ECA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 01d42fa91a13bbad4f8349d5f08d81267649182c246bed3a9967617260380968
                                                                                                                                                                                                                      • Instruction ID: 44aae09ba1a3d8c31888122647dd0f563994591cdbeeebfbd96d2e662741f12c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01d42fa91a13bbad4f8349d5f08d81267649182c246bed3a9967617260380968
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C01179B2A083099FC310DF69D84594FBBE4FF99350F00891AB958DB3A0E670E900CB92
                                                                                                                                                                                                                      Function 0157E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                      • Instruction ID: 61e787461d82907443fa94f293a3553c81a46a7c2a2756e92cda2e5959586e1d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 75017C722016809FE327861DD94AF6A7BE8FB86758F0904A5FA05CF6A1D668DC40C621
                                                                                                                                                                                                                      Function 0155826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: acfff76bc57d264bbd32a54896b24cc106ebf40a7ca5294426bb4a960df26e22
                                                                                                                                                                                                                      • Instruction ID: 287371de8d0e54815e3ba3fa9be689ed4ec5c7859bca899028b183bf6a404ebf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: acfff76bc57d264bbd32a54896b24cc106ebf40a7ca5294426bb4a960df26e22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA01D431B00A06DFD714DB6ADC549AE7BE9FF84690F09406A9D01AF644EE70D901C691
                                                                                                                                                                                                                      Function 0160EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 073a057ac1c55bf5e860671aa43ebe23255f8f813c5e94718ae1c1a6b82621ca
                                                                                                                                                                                                                      • Instruction ID: 12bb39112c0a2a7ea6a5e8f2559ef366b6d1343ce55c0a8a3aa229e3c7c10dac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 073a057ac1c55bf5e860671aa43ebe23255f8f813c5e94718ae1c1a6b82621ca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E01DF71680B12AFD3369E19DD01F13BAA8EF95B90F000C2AE6068F390D7B1D8418B98
                                                                                                                                                                                                                      Function 01562582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: af200d9f7c4935dcf04e9290fc8436fc40df5852e0b596509aa5a54bc0dd4e37
                                                                                                                                                                                                                      • Instruction ID: 76d99f78810671cfdd9e6cdb7184bef66135ae967dabc82406fad9d8262803f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af200d9f7c4935dcf04e9290fc8436fc40df5852e0b596509aa5a54bc0dd4e37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7CF08132641A11ABC7319A5A9D40F5BBAADFBD4BA0F154429A60A9F640DA30ED01DBE0
                                                                                                                                                                                                                      Function 0158C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                      • Instruction ID: 7da957c445b99716acd2897337f217a13b43cda2f65aaa00ec9a8e56a1a09338
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71F0C2B2600611AFD324DF4DDC40E5BFBEAEBD1A80F048528A645DB220EA31ED05CB90
                                                                                                                                                                                                                      Function 0163634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 205f54de09c221877fa47afbd24f62aaedf090b62ae3ad41739783f2e7bb1829
                                                                                                                                                                                                                      • Instruction ID: 3217c2b3f236c110169ed3ea6216233aa855bc5b86eca46e3279306ab8e03557
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 205f54de09c221877fa47afbd24f62aaedf090b62ae3ad41739783f2e7bb1829
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43014471A1020AEFDB04DFA9D95199EBBF8FF98304F10405AF904EB350D7749A018BA0
                                                                                                                                                                                                                      Function 0155C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                      • Instruction ID: 7f990ca30b7b65e8920c8125467ab8d7381b60743901b7a70c3f9ae4eaa85719
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DCF0FC332047279BD772175988A0B6FA6DDBFD1B64F1B0037EA059F201C9A58D01A6D1
                                                                                                                                                                                                                      Function 0163625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e030924eaea4fca428196f91a8e6c9cce0c1313cf5637a0e990d4198331b3703
                                                                                                                                                                                                                      • Instruction ID: 208c90d995d228c3cac9a4c94d59e3dd86c55f19b758a9053f61c18c993511d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e030924eaea4fca428196f91a8e6c9cce0c1313cf5637a0e990d4198331b3703
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA014471A1020AEFCB04DFA9D8519AEB7F8FF98344F50805AF904EB351D774AA01CBA0
                                                                                                                                                                                                                      Function 016362D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 44aca303ac2b25b45f81e6b3955dad0f2eafcbfa3a718884b4f235816233e0d7
                                                                                                                                                                                                                      • Instruction ID: 126208ed063b7d050d2a24353a91f87dbb0da908ceedc4341f48be046400bf39
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 44aca303ac2b25b45f81e6b3955dad0f2eafcbfa3a718884b4f235816233e0d7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F014471A0020AEFDB04DFA9D8559AEBBF8FF98304F50405AF914EB351D7749E018BA0
                                                                                                                                                                                                                      Function 0159CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                      • Instruction ID: a3c0066a6868262c2e4b730699e380e2c69cc6b6c5c0958f1f05c7083c4a97be
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E70181326006869BD732965DD809F5DBBD8FF91764F0944A9FA148F6A1D7B9C800C352
                                                                                                                                                                                                                      Function 016361E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bfc1081f42bcc1b30b199c1ac88fc35fb313383833fce24f94f799d63a2ee772
                                                                                                                                                                                                                      • Instruction ID: c9a5600547693faaabac92d166008d809fe8adca80d23e7312e4d9f13191a18a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bfc1081f42bcc1b30b199c1ac88fc35fb313383833fce24f94f799d63a2ee772
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2014471A00249EBDB04DFA9D855ADEBBF4BF54314F144059E505AB380D774EA01CB55
                                                                                                                                                                                                                      Function 015E63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                      • Instruction ID: 5393fea9e09729389a221d33af701fc752eca8700612b63e7f646324dfb35841
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35F0127210011EBFEF019F94DD81DAF7BBDFF952D8B104125FA1196160D631DD21A7A0
                                                                                                                                                                                                                      Function 015EA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 17536433319d781127ecc705b0b8debcfca5d098dd39f98be043d93becac6a20
                                                                                                                                                                                                                      • Instruction ID: fbbe1860b1f2d2645922c9dbfd2e9767d5ed3811b090ee99f84b5bd5abb5a211
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17536433319d781127ecc705b0b8debcfca5d098dd39f98be043d93becac6a20
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C018936510219ABCF129E94DC44EDE3FA6FB4C754F059105FE196A220C732D970EB91
                                                                                                                                                                                                                      Function 0155C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9dee0429986324cd7ea530ed5649155278496aa3887d37c398e610bc236f355c
                                                                                                                                                                                                                      • Instruction ID: 6758a5d103920688cba7fa3d9b327497c3928e086974d6dc5e24847533842af0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9dee0429986324cd7ea530ed5649155278496aa3887d37c398e610bc236f355c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8DF0F0B2A043425BF39496198C22B2233DEF7C4791F25842BEF098F2C1E970D8018394
                                                                                                                                                                                                                      Function 0159656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e4095d4921ee8ee666dfaca272fcfce0af2b55c41f051dc75aa819a0fd68e98b
                                                                                                                                                                                                                      • Instruction ID: 19f5ef578384599a1b946e7dfe8047120ee0426197f36176cc166296def8b65b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4095d4921ee8ee666dfaca272fcfce0af2b55c41f051dc75aa819a0fd68e98b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D0144716407869BEB329B6CCD4DF2937E4BB40B54F880594BA018FAD6DB78D4418716
                                                                                                                                                                                                                      Function 0160437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                      • Instruction ID: 5ec8b2a682faf3d0fee587a40f1fb78fa52ca13f2edace8fe09b16d9302578f1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBF0893534192347EB7FAA2F9C10B2BA756AFD0950B05692C9755CB7C0DF60D8018790
                                                                                                                                                                                                                      Function 015EE872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                      • Instruction ID: aabe1b8c87a55e4d6929d00783826271232fb6eb1cbfa4e723fd2f0fea1252f1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10F0E933F285129BE3358A4DDC86F16B7E8FFD5A60F190064A6049F260C360EC01C7D0
                                                                                                                                                                                                                      Function 015EC89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b037ff7fb1663f899b16e43d06e69f28d19d8532aa7980f0ace8079d281ad48
                                                                                                                                                                                                                      • Instruction ID: 3170dc5df9313c348f8f6f922711cd1cf36ad5f8802f88f4e36bc63d1bfdea1a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b037ff7fb1663f899b16e43d06e69f28d19d8532aa7980f0ace8079d281ad48
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B1F0AF706097059FC314EF68C946A1EBBE4FF98710F80465AB898DF390E634EA00C796
                                                                                                                                                                                                                      Function 01590854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                      • Instruction ID: 7d73152834fc782fc155a6cb1f67c3892d6da2cfa93b894b7bd400c2c81a3e23
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24F0B472610205EFE714DB25CC01F56B6EDFF98740F148878A945DF2A0FAB0DD01C655
                                                                                                                                                                                                                      Function 015EC912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 78f83c91d7642e69c9c6bcc4b43f42b2ff4e2e13500cfa6de2d3c658fcfbfa1e
                                                                                                                                                                                                                      • Instruction ID: 988da34d37081849353511a8e37526ac80f8cc9dcb9341d1abec52523ca656cf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 78f83c91d7642e69c9c6bcc4b43f42b2ff4e2e13500cfa6de2d3c658fcfbfa1e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69F04F70A0124AEFCB04EFA9D515A5EB7F4FF58300F408055A955EF385DA74EA01CB60
                                                                                                                                                                                                                      Function 015647FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 019728f512a6bb7f51fa4ec724bee017311c887eef62a66de4c4bfbbde54f6ef
                                                                                                                                                                                                                      • Instruction ID: 862e5db3cc98c1b0d7eb7290ddfedd0dacdee9623d0986e384b2c0ef0b5315b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 019728f512a6bb7f51fa4ec724bee017311c887eef62a66de4c4bfbbde54f6ef
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FF0BE319166E1DFE733CBACC494B69BBDCBB40620F08896AD5898F502CB24D880C6D0
                                                                                                                                                                                                                      Function 01620115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e4b0dc0706248db9b9bf7817deec35e195b13fd205f267c151fa935024b363b7
                                                                                                                                                                                                                      • Instruction ID: 915c514babd65b08558cea57a4b0b712f158eeeda05e90137f0c14ef159f0cdb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4b0dc0706248db9b9bf7817deec35e195b13fd205f267c151fa935024b363b7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96F05C67415BE20ACF329B7CFC583D12F75A741114F6D2489E8A05B309C7748493CB64
                                                                                                                                                                                                                      Function 0159C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c502775547df5cafbe02f912bb625e51c2aa0ed5142c31aa57210b2bd1fd9f2e
                                                                                                                                                                                                                      • Instruction ID: f331279df9e9f8f7406ff4b959c99c91965c2656b121750acdca6ffe7e003228
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c502775547df5cafbe02f912bb625e51c2aa0ed5142c31aa57210b2bd1fd9f2e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51F0E2715116519FEF22975CC288B59BBD8FB807A0F089825D406CF552C660E880CBD2
                                                                                                                                                                                                                      Function 015A2619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                      • Instruction ID: 7f219e0c4e4b4cc3725bda4bf430ebad3e998fde3409d33d2c29e3a172b999b9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2BE0D8323816022BE7119E598CC1F4B776EFFD2B10F44447DBA045F251CAE2DC0982A4
                                                                                                                                                                                                                      Function 015F6030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                      • Instruction ID: 83a5809cb5597cb78dca9d2306ddb9cae9946351269413dee7a5cf3f040f1472
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69F058721002049FE3208B09D844B52B7E8FB05364F118829E6088B160D23AAC40CBA0
                                                                                                                                                                                                                      Function 01560710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                      • Instruction ID: 0a6e4e78ccb939da7e7edec77bf9c8f3238f3334d6a91941b11c5d292c0eeff4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E6F0E53A2047419BDB1ACF19D040AD97BE8FB41360F040494F8428F341D735E981CB95
                                                                                                                                                                                                                      Function 015949D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                      • Instruction ID: a1d226e80fddcd13a9c10d23e0694799a9ece504f8cc903ff1ed1cdc0ee2fc0c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EFE0D832254146AFDB211A598900B7A77E7FBD27A0F150829E6009F150DBF8DC42C7D9
                                                                                                                                                                                                                      Function 01634164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ca4a21374acb5f1e372e36d54657570dfd54edfcc9a1cc1724a3d3302e0c7ffa
                                                                                                                                                                                                                      • Instruction ID: 2fdfb2aab1931039cd3cf833567187396239df23ca6fe3f96abf4ed5e09f0b95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca4a21374acb5f1e372e36d54657570dfd54edfcc9a1cc1724a3d3302e0c7ffa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4CF06531A35D914FE772D76CE984B65B7E4AF90631F1A1594D4058BA22CB24DC80C690
                                                                                                                                                                                                                      Function 0160678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                      • Instruction ID: 222bcbdefc416e36e292cbef14724488b340630970ba182b11a7a2276408c5c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D1E0D872600110BFDB229759CD01F9B7EACEB90EA0F050454B601DB1D0E530DE00C690
                                                                                                                                                                                                                      Function 016308C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                                                      • Instruction ID: 298b0579181806548c563286e2511c2ac01d4d92cba074e6e462c8c91ab1207c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49E09B316403508BCF258E1DD940A53B7EDDFD5660F16806DE90547712C331F857C6D0
                                                                                                                                                                                                                      Function 015625E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d0e9d49a71130ba9be1e83c834f4bb3f666d8a25ac4d002d870ec6c2c275881d
                                                                                                                                                                                                                      • Instruction ID: bd22ca940a82ade75c4a32acfd9347a7b93e2dd7afe97ee90a1902595f463835
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0e9d49a71130ba9be1e83c834f4bb3f666d8a25ac4d002d870ec6c2c275881d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1E092321006559BC321FB29DD02F8A779EFFA0364F014515B1555B190CB30AC10C7D4
                                                                                                                                                                                                                      Function 0161A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                      • Instruction ID: 6a771bca858350a64b47f69a57fe7aa03acb56e1b898da65de02909a87f14305
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93E09231052692DFE7326F6ADC48B52BAE0FF90711F188C2CA19A166B0C7B498C0DA40
                                                                                                                                                                                                                      Function 015E4000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                      • Instruction ID: a3d091efb143197d0886130a59cc85c28fc4fb55a4abb92a6b42e1ca197ee71f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AE0AE347003058BE719CF19C044B667BA6BFD5A10F28C078A9488F205EB32A8428A40
                                                                                                                                                                                                                      Function 0159CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c2ea4f76e5a610d145f0bee95b34cc23f7ae17c6c56ffc0bb641270dff7ccc68
                                                                                                                                                                                                                      • Instruction ID: d7bea787bf7f7a20f5aebfff350b51f799f2ebef3ab1a031466aa3ec487c2b26
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2ea4f76e5a610d145f0bee95b34cc23f7ae17c6c56ffc0bb641270dff7ccc68
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBD02B324910616ECF35F128BC04F9B3A99BB90370F018C60F5089A050D598CC8192C4
                                                                                                                                                                                                                      Function 0155823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                      • Instruction ID: 77294fbfc7bf8ac340f62bfb5c8c110541d5c3e7fac44e9ed189a6c73b7a7d81
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A3E0C231144A16EFDB722F27DC11F597AE5FF94BA0F104C2AE4820E4B487B0AC81DB45
                                                                                                                                                                                                                      Function 01562050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 05715383510d8365b91f64a9d843912edb5f96d17a902eec1d06156e1d2ed388
                                                                                                                                                                                                                      • Instruction ID: e17f8bf0fd9134d48e59478ee6cc178730099f22ffd27e14e5140814d680d97c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 05715383510d8365b91f64a9d843912edb5f96d17a902eec1d06156e1d2ed388
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6E08C321005616BC321FA6DED51E4A739EFFE4260F000221B1518B290CA60AC00C7D4
                                                                                                                                                                                                                      Function 01598A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                      • Instruction ID: 47b0073eba5f1fb842c15d580da0fdfdd6eb3efec502bebd56861d2790f930da
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63E08633111A188BC728DE18D512B7677E8FF45730F09463EA6134B780C574E544C795
                                                                                                                                                                                                                      Function 0159E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                      • Instruction ID: ec32a0031dae9539b62ac920e66e49aafab049ad43adf01278318160742fa45e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 33D0A932214620ABE772AA2CFC00FC333E8BB98720F060459B008CB050C360AC81CA84
                                                                                                                                                                                                                      Function 015DE908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                      • Instruction ID: e10e0ba2f92c66fa0bb9bc652df5f50d510410bd6afb1fde56f05ae38934582c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3FE0EC359516859FDF62DF6DD641F5EBBB9FB94B40F550054A1085F660C724AD00CB80
                                                                                                                                                                                                                      Function 0155A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                      • Instruction ID: c695494d39459fe8d7ad7f422f2e6cfc48ded0ec93654020f263d615b33b2c11
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93D0223222203193DB685665A820F677949BFC0AA0F0A012E380A9B800C1048C43D2E0
                                                                                                                                                                                                                      Function 0159A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                      • Instruction ID: a77fee2f67001134aca999ec2eff0d349deade2baaee655df11a4fd886a07e31
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B1D012371E054DBBDB119F66DC02F957BA9FBA4BA0F444020B5048B5A0C63AE950D584
                                                                                                                                                                                                                      Function 0159CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1d45c75abf7c5d249e4a5906c38fbec323cd3c01883288bd509db44722b9ec45
                                                                                                                                                                                                                      • Instruction ID: 8fe7efd4de0d5a8494a64b81c051d0bcc699ef40de0494e188cdcdd3580eddad
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d45c75abf7c5d249e4a5906c38fbec323cd3c01883288bd509db44722b9ec45
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88D0A930612102CBEF2ACF1CCE20E2E3AB4FF10640F80006CE7009A820E368EC01CB21
                                                                                                                                                                                                                      Function 0159C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                      • Instruction ID: 43ad327367116b81cfc8507cbc8078baaa3374971710f09caef4cb3b1234e165
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0FC01232150644AFD7119A95DD01F0177A9FB98B50F000021F2044B570C531E810E644
                                                                                                                                                                                                                      Function 01580310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                      • Instruction ID: 58e402243b8e31d78a14697d8c2be654193668be54c660521b943ae586e85e9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5BD01236100249EFCB02EF45D890D9A772AFBD8710F108019FD190B6508A31ED62DA50
                                                                                                                                                                                                                      Function 01560750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                      • Instruction ID: 76278bb96e3584690a43cb7950a22ade9c3d813c67c65fdc838126bd03929d71
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62C04879701A428FCF16DB2AE2D5F8977E4FB84790F190890E809CFB22E724E801DA11
                                                                                                                                                                                                                      Function 015A4340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8e83770a76b9a29b3d58e08cf60482350ec140616fe5ab326f129cd021a80f6f
                                                                                                                                                                                                                      • Instruction ID: 067a5140c71b5801f16ad8e854b736182706ba4a8d62091670c32b5013e3347e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e83770a76b9a29b3d58e08cf60482350ec140616fe5ab326f129cd021a80f6f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6890023160580012914071584CC45864049B7E0311B59D411E0425954CCA548A565761
                                                                                                                                                                                                                      Function 015A4650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d82d3ad314ed987b4aeee03b332b4e73bf34a6c2c416ba45cc9ebbd3ed0ad16c
                                                                                                                                                                                                                      • Instruction ID: b50668ff34a36c15e53b1818da06aee410365074d2589672dd827ee283e15c79
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d82d3ad314ed987b4aeee03b332b4e73bf34a6c2c416ba45cc9ebbd3ed0ad16c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB90026160150042414071584C444466049B7E1311399D515A0555960CC65889559769
                                                                                                                                                                                                                      Function 015A2BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a620bfe52548fafc1b3f90bdf56dfae8cb9f76a898e7df91a2fa331ee792ccfc
                                                                                                                                                                                                                      • Instruction ID: 741b83eb5f1f094e443cd6577523c8b1b55141a73b13d1293d0291c9733f2384
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a620bfe52548fafc1b3f90bdf56dfae8cb9f76a898e7df91a2fa331ee792ccfc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D590023120544842D14071584844A860059A7D0315F59D411A0065A94DD6658E55BB61
                                                                                                                                                                                                                      Function 015A2B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 456110176e0fc58213a0d496bb2d268a848717c69747116933670948ae8a3401
                                                                                                                                                                                                                      • Instruction ID: 3dd43db4a6b7eeb97bf754632cad0f11ba6cc1a334e5aab7f6a1c46546bdf437
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 456110176e0fc58213a0d496bb2d268a848717c69747116933670948ae8a3401
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A90023120140802D10471584C446C60049A7D0311F59D411A6025A55ED6A589917631
                                                                                                                                                                                                                      Function 015A2BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e7efbe800b32e8e6535b483a29cfee098ddf7416fc9c2f353795648374b8be2d
                                                                                                                                                                                                                      • Instruction ID: d0fa162e61f5afa91ab8a148cb5d991a11514f8f1a431c169bb2d36788995531
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e7efbe800b32e8e6535b483a29cfee098ddf7416fc9c2f353795648374b8be2d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B90023160540802D150715848547860049A7D0311F59D411A0025A54DC7958B557BA1
                                                                                                                                                                                                                      Function 015A2AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5989f1304873ec616ac7e293ca26c6f6399f91c2e34049576d2548e47e5e9d23
                                                                                                                                                                                                                      • Instruction ID: 97c19775b5d734048e92af5227bb4062f10d7f93f222e44e082773d558fb6297
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5989f1304873ec616ac7e293ca26c6f6399f91c2e34049576d2548e47e5e9d23
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2900225221400020145B5580A4454B0489B7D6361399D415F1417990CC66189655721
                                                                                                                                                                                                                      Function 015A2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6d986e162f480cc11d6e6c0935e4ff5cee220c3d59083427901ada5d3ce3ad71
                                                                                                                                                                                                                      • Instruction ID: 5c5a56e1da509ca2314ca699b716da09ffa5816d45c32a11c655ad6a363804ef
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d986e162f480cc11d6e6c0935e4ff5cee220c3d59083427901ada5d3ce3ad71
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C9002A1201540924500B2588844B4A4549A7E0211B59D416E1055960CC56589519635
                                                                                                                                                                                                                      Function 015A2D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f05e9e89c52bfbbdcdf7ea14c54f33ed9f5e775837426410046cf799b99e2d30
                                                                                                                                                                                                                      • Instruction ID: c481cb770eee6099f8516186ad6e6213e5db4f8b0e74bf73321b106d922ce4dc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f05e9e89c52bfbbdcdf7ea14c54f33ed9f5e775837426410046cf799b99e2d30
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E90022120544442D10075585848A460049A7D0215F59E411A1065995DC6758951A631
                                                                                                                                                                                                                      Function 015A2DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c7288927ccab78772358b5d871f778d3dad781e6fd6f4fc172c8b908cc6edbb0
                                                                                                                                                                                                                      • Instruction ID: c04e1c8be3abb7294956e9c4b063ebc01df16e88485152343dcc5c21981d6d64
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7288927ccab78772358b5d871f778d3dad781e6fd6f4fc172c8b908cc6edbb0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2390023124140402D14171584844646004DB7D0251F99D412A0425954EC6958B56AF61
                                                                                                                                                                                                                      Function 015A2C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ccdfa87683455786fb6157ac4ba9af8b83b7005e6169316ef21cd24147291986
                                                                                                                                                                                                                      • Instruction ID: f3d3e0ac5d5c26564469e8fef01d4d4c7817d6bb102169811fe39bea343d6531
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccdfa87683455786fb6157ac4ba9af8b83b7005e6169316ef21cd24147291986
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6790023120140842D10071584844B860049A7E0311F59D416A0125A54DC655C9517A21
                                                                                                                                                                                                                      Function 015A2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d318eb7a2c7a36e9b7322d6e7c03e7348bb926a801e31643f2610b516ec9e9f5
                                                                                                                                                                                                                      • Instruction ID: 97ff51c71f3f09e5d766eccd70c10bcd4722e152a706655abbee816d4b6a913d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d318eb7a2c7a36e9b7322d6e7c03e7348bb926a801e31643f2610b516ec9e9f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA90022160540402D140715858587460059A7D0211F59E411A0025954DC6998B556BA1
                                                                                                                                                                                                                      Function 015A2CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 26356e9dcc4384624a8dee7f5a98ee9ecd82d05006188b099fe61452ba8912de
                                                                                                                                                                                                                      • Instruction ID: 028277e6a1129d2832a376b49666781de19394a62491e72093c85873cd780826
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 26356e9dcc4384624a8dee7f5a98ee9ecd82d05006188b099fe61452ba8912de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F590023120140403D100715859487470049A7D0211F59E811A0425958DD69689516621
                                                                                                                                                                                                                      Function 015A2F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 48112dfcba5cd4ad3eca521cd1b6711c9961c88afda1c361331a632d085ea50e
                                                                                                                                                                                                                      • Instruction ID: 4617b43a45142a67526f596eb042f6352da202ccfe7cf6504a0c14e3eb625d7f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48112dfcba5cd4ad3eca521cd1b6711c9961c88afda1c361331a632d085ea50e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1690026121140042D104715848447460089A7E1211F59D412A2155954CC5698D615625
                                                                                                                                                                                                                      Function 015A2FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b82e16c4df64e498327403bc62b38a37afbce5a89c2023a65bd5b1a31ec2163
                                                                                                                                                                                                                      • Instruction ID: 3c3092df504ba5c1bd55f762c841544a9378805b33a6274280dc6351ff8c3013
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b82e16c4df64e498327403bc62b38a37afbce5a89c2023a65bd5b1a31ec2163
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A390023120180402D10071584C487870049A7D0312F59D411A5165955EC6A5C9916A31
                                                                                                                                                                                                                      Function 015A2E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 354b4ec8024fe4574c00399c32d27209298f155ee02c3332dde46db039cb9d34
                                                                                                                                                                                                                      • Instruction ID: cd62597e71454c7943e8be4cc9d0df924523f0da23a562797075ae2214b77ce9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 354b4ec8024fe4574c00399c32d27209298f155ee02c3332dde46db039cb9d34
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B890022130140402D10271584854646004DE7D1355F99D412E1425955DC6658A53A632
                                                                                                                                                                                                                      Function 015A2EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 881187a4344ddb9ec8b56efa98e62bf3b3d8c983569c284de9922ac7506927bf
                                                                                                                                                                                                                      • Instruction ID: aa742268de911812b22c1a039fd22eb6efa98255934fc7e21a9d301f71ecf496
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 881187a4344ddb9ec8b56efa98e62bf3b3d8c983569c284de9922ac7506927bf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C90026120180403D14075584C446470049A7D0312F59D411A2065955ECA698D516635
                                                                                                                                                                                                                      Function 015A3010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 78a178654d274b5eea23fc9955546b6320b632939e73d43ca0d3d30b16562a00
                                                                                                                                                                                                                      • Instruction ID: fe75649adf07ffb2e00a6ff2a9cf58fb55c6e74ef53634e894939d497606b662
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 78a178654d274b5eea23fc9955546b6320b632939e73d43ca0d3d30b16562a00
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E90022120184442D14072584C44B4F4149A7E1212F99D419A4157954CC95589555B21
                                                                                                                                                                                                                      Function 015A3090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a3a04fa23b26d28780cf731ac3a8d043182d9692b5edb934c3e1b25d2d6cb8eb
                                                                                                                                                                                                                      • Instruction ID: 18a7df108884b100629fc1b2edf7d82a72cd36f374cd152d7ffebaafc55ad6f5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3a04fa23b26d28780cf731ac3a8d043182d9692b5edb934c3e1b25d2d6cb8eb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D90022124140802D14071588854747004AE7D0611F59D411A0025954DC6568A656BB1
                                                                                                                                                                                                                      Function 015A35C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1d438bde73d012e1853eb988919387bf5fda12c259e9201c7a6ada19460b46ce
                                                                                                                                                                                                                      • Instruction ID: f2c2860c8d1c327eb398680674d535abe2cd5da8cb2f32ddd77c956932fddc50
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d438bde73d012e1853eb988919387bf5fda12c259e9201c7a6ada19460b46ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7390023160550402D100715849547461049A7D0211F69D811A0425968DC7D58A516AA2
                                                                                                                                                                                                                      Function 015A39B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1712b1620290fb5a8d495fa5fd213ac2b6f3f3fac3e00ef4e7b520dd7d13f435
                                                                                                                                                                                                                      • Instruction ID: fa8f071f30b359a6e4515de6e6587705a0c3ef5b6c0ad6f3c68d37e1815cf843
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1712b1620290fb5a8d495fa5fd213ac2b6f3f3fac3e00ef4e7b520dd7d13f435
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E90022124545102D150715C48446564049B7E0211F59D421A0815994DC59589556721
                                                                                                                                                                                                                      Function 015A3D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8a0215303b51d2beaffeef4ba6cf5cea289c59d930e2b00b4c46b3224fd3e450
                                                                                                                                                                                                                      • Instruction ID: de19d4b5a95d7d9ac34ac9f1eeee787929a050734f54f2d590ec86cfb8fcb008
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8a0215303b51d2beaffeef4ba6cf5cea289c59d930e2b00b4c46b3224fd3e450
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E190023520140402D51071585C44686008AA7D0311F59E811A0425958DC69489A1A621
                                                                                                                                                                                                                      Function 015A3D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: aef92f32e46a7ef444b272305107396a1c379e567e66ea0ece7ab8cc2c7c92f5
                                                                                                                                                                                                                      • Instruction ID: 6324b6ac1ec0daf86d994952db7fe92037a6ee29ed80744c3e1d9b379d09e6b6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aef92f32e46a7ef444b272305107396a1c379e567e66ea0ece7ab8cc2c7c92f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C390023120240142954072585C44A8E4149A7E1312B99E815A0016954CC95489615721
                                                                                                                                                                                                                      Function 015A2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                      • Instruction ID: c95e441e6e187c0effe3ebaf6fe3fe5d65784a0af85680fa48b23376aed0396d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 015A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: 234123a0ae4bcd93c9a51f7d93df067bba5cb610564baa6194bf9828db148dc5
                                                                                                                                                                                                                      • Instruction ID: cdd2e0c0200472077c9a476eb8c48c00ccca4f4fb77c906bd84eb65a259693ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 234123a0ae4bcd93c9a51f7d93df067bba5cb610564baa6194bf9828db148dc5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C51D7B2A40217BFCB21DB9C89D197FFBF8BB48640B948569F455DB641D334DE408BA0
                                                                                                                                                                                                                      Function 01612410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: 2d4485e12083fbae3736f4b7b04aace1eb1a5259b88f47100afaf4bbfaa0d9ee
                                                                                                                                                                                                                      • Instruction ID: 6b83b760a155371a1152355d108eb8fb13b1b9f4aa8fca1a74cdd01cdbe01a4d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d4485e12083fbae3736f4b7b04aace1eb1a5259b88f47100afaf4bbfaa0d9ee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19510771A00646AECB34DF9DCCE097FBBF9EB44200B28845EE496C7686E774DA408760
                                                                                                                                                                                                                      Function 01597630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 015D4655
                                                                                                                                                                                                                      • Execute=1, xrefs: 015D4713
                                                                                                                                                                                                                      • ExecuteOptions, xrefs: 015D46A0
                                                                                                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015D46FC
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 015D4742
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 015D4787
                                                                                                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 015D4725
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                                                                                                      • Opcode ID: 256fb040dcad60ddc8c220dbb119c36bdbcb087f0937f7dac8f6add4fa93ff59
                                                                                                                                                                                                                      • Instruction ID: c837e498859dbf00a1277e57878a1ae93e884cb1c002d7497d0627bc430e4564
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 256fb040dcad60ddc8c220dbb119c36bdbcb087f0937f7dac8f6add4fa93ff59
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0512C3165021A7BEF21EFA8DC85FAD77A8FF58304F44049AD605AF181EB70AA41CF95
                                                                                                                                                                                                                      Function 01636940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                      • Instruction ID: 5300fb0e8536f00ee0ef426106eae8ce0d4f31a3a8201defb2eddd9e889ec3e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD0203B1508342AFD309CF18C894A6EBBE5FFC8714F448A2DF9954B264DB31EA05CB52
                                                                                                                                                                                                                      Function 015AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-$0$0
                                                                                                                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                                                                                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction ID: 001b5fa3a2ff7c2b7c916b195b73fa923b0bd93a3a4fd5a86dae1eea8c082f91
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C81C170E8524A9EEF25CE6CC8517FEBFB1BF45320F984619D861AF291C77498408BD1
                                                                                                                                                                                                                      Function 016120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                                                                                                                      • Opcode ID: 85d0548ad62addb4350d531c0ca4fc524c99000862dbe275fe7381c6fe74a36b
                                                                                                                                                                                                                      • Instruction ID: 82058dbbf731dd5492ef4342422ad161cc25ef6f69515bfe13d74f7748a2ed06
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 85d0548ad62addb4350d531c0ca4fc524c99000862dbe275fe7381c6fe74a36b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B21957AE0011AABDB10DF79CC51AEEBBF8EF54741F58011AEA05E7204E730DA118BA0
                                                                                                                                                                                                                      Function 0158F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 015D031E
                                                                                                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015D02E7
                                                                                                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015D02BD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                                                                                                      • Opcode ID: b52ed6ca530cb43f91a3db4ac1d0a355b4e6a565f860f4cfc2d01c1cac27526c
                                                                                                                                                                                                                      • Instruction ID: d80d0e76ff7192bb0f336f8fa8ef02869a44a6bfc9ed12c5f15fe3141643ffb8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b52ed6ca530cb43f91a3db4ac1d0a355b4e6a565f860f4cfc2d01c1cac27526c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AE18B306047429FE725EF2CC884B2ABBE0BB88314F140A5AF5A5DF2E1D774D945CB52
                                                                                                                                                                                                                      Function 0159BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 015D7BAC
                                                                                                                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 015D7B7F
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 015D7B8E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 0-871070163
                                                                                                                                                                                                                      • Opcode ID: 60451a21d6ea4f14d26da9934ddc433deb6fd55cac1fb240df4d38573c1cb407
                                                                                                                                                                                                                      • Instruction ID: dd42d401fe329bcb76bf8aba0849165659c2c8b34ad18566198d2c566a32ce62
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60451a21d6ea4f14d26da9934ddc433deb6fd55cac1fb240df4d38573c1cb407
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF41D3317047039FEB25DE29D840F6AB7E5FB88710F100A1DE9669F680EB71E8058B92
                                                                                                                                                                                                                      Function 0159B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D728C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 015D72C1
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 015D72A3
                                                                                                                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 015D7294
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                                                                                                                      • Opcode ID: 5fdd1c9d9d2feedf0c5af9eb5afb0278aa72fb72f65216e1f54c6aa06e96b701
                                                                                                                                                                                                                      • Instruction ID: a0a3a9965b6eac7efb7487b7d56353adcf8d8d41ee8a60f8bbd54093d738a4a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5fdd1c9d9d2feedf0c5af9eb5afb0278aa72fb72f65216e1f54c6aa06e96b701
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B041CF31600243ABDB21DE29CC41F6AB7A6FB98714F100A19F959AF240DB21E85287D2
                                                                                                                                                                                                                      Function 01612300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                                                                                                                      • Opcode ID: bb205a0f56d3a79ee1aa909767287b0423a710073b7b138b57dc0a8aa564a713
                                                                                                                                                                                                                      • Instruction ID: c91be12fdb1ed0cab4304f7a2f7c483d564fc71fe85df1b69a02ddd0821dc77e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb205a0f56d3a79ee1aa909767287b0423a710073b7b138b57dc0a8aa564a713
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1431B672A002199FDB20DF2DCC50BEFB7F8FB44610F58045AE849E3244EB30EA548BA0
                                                                                                                                                                                                                      Function 015A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-
                                                                                                                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                                                                                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction ID: 92c803a418fd47ec2722b98eb2a175bd6f23d3bf03513df8b40d80f60c8e65b8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D491A771E802069EDF24DF6DC8806BEBBE5BF88321F94451AE965AF2C0D7329A408751
                                                                                                                                                                                                                      Function 01569126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $$@
                                                                                                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                                                                                                      • Opcode ID: 30ca48e94eb9de9b74109aa5b530c73a074268dc829a6f431a0b97f50dadfd65
                                                                                                                                                                                                                      • Instruction ID: 90d1700f0f7f9c1d2a6427d9090d6cf543c33866c7129f78ea0cfaf62bb8d811
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30ca48e94eb9de9b74109aa5b530c73a074268dc829a6f431a0b97f50dadfd65
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D181EB71D0026A9FDB35DF94CC45BEEB6B8BB48754F1041DAAA19BB240E7705E84CFA0
                                                                                                                                                                                                                      Function 015ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 015ECFBD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2203344738.0000000001530000.00000040.00001000.00020000.00000000.sdmp, Offset: 01530000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1530000_RFQ-1024.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CallFilterFunc@8
                                                                                                                                                                                                                      • String ID: @$@4Cw@4Cw
                                                                                                                                                                                                                      • API String ID: 4062629308-3101775584
                                                                                                                                                                                                                      • Opcode ID: 0fb2f20a92b4e8da08fc5b4bd16eb91e99a9049cfe594e5521b77a8b343e5c83
                                                                                                                                                                                                                      • Instruction ID: 39e065cee69c1838b08428b1a62f5e970ff8ae769f518b0c16503a6a5cd65cd1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0fb2f20a92b4e8da08fc5b4bd16eb91e99a9049cfe594e5521b77a8b343e5c83
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B418971D00216DFDB259FA9D844AAEBBF8FF94B90F04452AEA55DF254E730C801CB61

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.5%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:419
                                                                                                                                                                                                                      Total number of Limit Nodes:14
                                                                                                                                                                                                                      execution_graph 13794 e38e0b9 13795 e38e1f0 13794->13795 13796 e38e0ed 13794->13796 13796->13795 13797 e391f82 2 API calls 13796->13797 13797->13795 13739 e39083a 13740 e390841 13739->13740 13741 e391f82 2 API calls 13740->13741 13743 e3908c5 13741->13743 13742 e390906 13743->13742 13744 e391232 NtCreateFile 13743->13744 13744->13742 13814 e38a0fb 13816 e38a137 13814->13816 13815 e38a2d5 13816->13815 13817 e3868f2 NtProtectVirtualMemory 13816->13817 13818 e38a28a 13817->13818 13819 e3868f2 NtProtectVirtualMemory 13818->13819 13822 e38a2a9 13819->13822 13820 e38a2cd 13821 e38d382 ObtainUserAgentString 13820->13821 13821->13815 13822->13820 13823 e3868f2 NtProtectVirtualMemory 13822->13823 13823->13820 13886 e391f7a 13887 e391fb8 13886->13887 13888 e38e5b2 socket 13887->13888 13889 e392081 13887->13889 13891 e392022 13887->13891 13888->13889 13890 e392117 getaddrinfo 13889->13890 13889->13891 13890->13891 13798 e38c8be 13799 e38c8c3 13798->13799 13800 e38c9a6 13799->13800 13801 e38c995 ObtainUserAgentString 13799->13801 13801->13800 13916 e389fbf 13917 e38a016 13916->13917 13920 e38a0bb 13917->13920 13921 e38a0f0 13917->13921 13922 e3868f2 NtProtectVirtualMemory 13917->13922 13918 e38a0e8 13919 e38d382 ObtainUserAgentString 13918->13919 13919->13921 13920->13918 13923 e3868f2 NtProtectVirtualMemory 13920->13923 13922->13920 13923->13918 13941 e3939f1 13942 e3939f7 13941->13942 13945 e388852 13942->13945 13944 e393a0f 13946 e3888e4 13945->13946 13947 e388865 13945->13947 13946->13944 13947->13946 13949 e388887 13947->13949 13951 e38887e 13947->13951 13948 e38e36f 13948->13944 13949->13946 13950 e38c662 2 API calls 13949->13950 13950->13946 13951->13948 13952 e38e0c2 2 API calls 13951->13952 13952->13948 13824 e3860f1 13825 e386109 13824->13825 13829 e3861d3 13824->13829 13826 e386012 2 API calls 13825->13826 13827 e386113 13826->13827 13828 e391f82 2 API calls 13827->13828 13827->13829 13828->13829 13953 e3875f1 13954 e38760e 13953->13954 13955 e387606 13953->13955 13956 e38c662 2 API calls 13955->13956 13956->13954 13924 e3939b3 13925 e3939bd 13924->13925 13928 e3886d2 13925->13928 13927 e3939e0 13929 e388704 13928->13929 13930 e3886f7 13928->13930 13932 e38872d 13929->13932 13933 e388737 13929->13933 13936 e3886ff 13929->13936 13931 e3860f2 2 API calls 13930->13931 13931->13936 13937 e38e2c2 13932->13937 13935 e391f82 2 API calls 13933->13935 13933->13936 13935->13936 13936->13927 13938 e38e2df 13937->13938 13939 e38e2cb 13937->13939 13938->13936 13939->13938 13940 e38e0c2 2 API calls 13939->13940 13940->13938 13725 e391232 13727 e39125c 13725->13727 13728 e391334 13725->13728 13726 e391410 NtCreateFile 13726->13728 13727->13726 13727->13728 13830 e38a2f4 13831 e38a349 13830->13831 13832 e38a49f 13831->13832 13834 e3868f2 NtProtectVirtualMemory 13831->13834 13833 e3868f2 NtProtectVirtualMemory 13832->13833 13836 e38a4c3 13832->13836 13833->13836 13835 e38a480 13834->13835 13837 e3868f2 NtProtectVirtualMemory 13835->13837 13838 e3868f2 NtProtectVirtualMemory 13836->13838 13839 e38a597 13836->13839 13837->13832 13838->13839 13840 e3868f2 NtProtectVirtualMemory 13839->13840 13843 e38a5bf 13839->13843 13840->13843 13841 e38a6e1 13842 e38d382 ObtainUserAgentString 13841->13842 13844 e38a6e9 13842->13844 13845 e3868f2 NtProtectVirtualMemory 13843->13845 13846 e38a6b9 13843->13846 13845->13846 13846->13841 13847 e3868f2 NtProtectVirtualMemory 13846->13847 13847->13841 13802 e393aa9 13803 e393aaf 13802->13803 13806 e38e212 13803->13806 13805 e393ac7 13807 e38e21b 13806->13807 13808 e38e237 13806->13808 13807->13808 13810 e38e0c2 13807->13810 13808->13805 13811 e38e0cb 13810->13811 13813 e38e1f0 13810->13813 13812 e391f82 2 API calls 13811->13812 13811->13813 13812->13813 13813->13808 13745 e38d22a 13746 e38d25e 13745->13746 13747 e38c8c2 ObtainUserAgentString 13746->13747 13748 e38d26b 13747->13748 13573 e392bac 13574 e392bb1 13573->13574 13607 e392bb6 13574->13607 13608 e388b72 13574->13608 13576 e392c2c 13577 e392c85 13576->13577 13579 e392c69 13576->13579 13580 e392c54 13576->13580 13576->13607 13578 e390ab2 NtProtectVirtualMemory 13577->13578 13581 e392c8d 13578->13581 13583 e392c6e 13579->13583 13584 e392c80 13579->13584 13582 e390ab2 NtProtectVirtualMemory 13580->13582 13644 e38a102 13581->13644 13587 e392c5c 13582->13587 13588 e390ab2 NtProtectVirtualMemory 13583->13588 13584->13577 13585 e392c97 13584->13585 13589 e392c9c 13585->13589 13590 e392cbe 13585->13590 13630 e389ee2 13587->13630 13592 e392c76 13588->13592 13612 e390ab2 13589->13612 13594 e392cd9 13590->13594 13595 e392cc7 13590->13595 13590->13607 13636 e389fc2 13592->13636 13599 e390ab2 NtProtectVirtualMemory 13594->13599 13594->13607 13596 e390ab2 NtProtectVirtualMemory 13595->13596 13598 e392ccf 13596->13598 13654 e38a2f2 13598->13654 13602 e392ce5 13599->13602 13672 e38a712 13602->13672 13610 e388b93 13608->13610 13609 e388cce 13609->13576 13610->13609 13611 e388cb5 CreateMutexExW 13610->13611 13611->13609 13614 e390adf 13612->13614 13613 e390ebc 13622 e389de2 13613->13622 13614->13613 13684 e3868f2 13614->13684 13616 e390e5c 13617 e3868f2 NtProtectVirtualMemory 13616->13617 13618 e390e7c 13617->13618 13619 e3868f2 NtProtectVirtualMemory 13618->13619 13620 e390e9c 13619->13620 13621 e3868f2 NtProtectVirtualMemory 13620->13621 13621->13613 13623 e389df0 13622->13623 13625 e389ecd 13623->13625 13709 e38d382 13623->13709 13626 e386412 13625->13626 13628 e386440 13626->13628 13627 e386473 13627->13607 13628->13627 13629 e38644d CreateThread 13628->13629 13629->13607 13632 e389f06 13630->13632 13631 e389fa4 13631->13607 13632->13631 13633 e3868f2 NtProtectVirtualMemory 13632->13633 13634 e389f9c 13633->13634 13635 e38d382 ObtainUserAgentString 13634->13635 13635->13631 13638 e38a016 13636->13638 13637 e38a0f0 13637->13607 13638->13637 13641 e38a0bb 13638->13641 13642 e3868f2 NtProtectVirtualMemory 13638->13642 13639 e38a0e8 13640 e38d382 ObtainUserAgentString 13639->13640 13640->13637 13641->13639 13643 e3868f2 NtProtectVirtualMemory 13641->13643 13642->13641 13643->13639 13646 e38a137 13644->13646 13645 e38a2d5 13645->13607 13646->13645 13647 e3868f2 NtProtectVirtualMemory 13646->13647 13648 e38a28a 13647->13648 13649 e3868f2 NtProtectVirtualMemory 13648->13649 13652 e38a2a9 13649->13652 13650 e38a2cd 13651 e38d382 ObtainUserAgentString 13650->13651 13651->13645 13652->13650 13653 e3868f2 NtProtectVirtualMemory 13652->13653 13653->13650 13655 e38a349 13654->13655 13656 e38a49f 13655->13656 13658 e3868f2 NtProtectVirtualMemory 13655->13658 13657 e3868f2 NtProtectVirtualMemory 13656->13657 13661 e38a4c3 13656->13661 13657->13661 13659 e38a480 13658->13659 13660 e3868f2 NtProtectVirtualMemory 13659->13660 13660->13656 13662 e3868f2 NtProtectVirtualMemory 13661->13662 13663 e38a597 13661->13663 13662->13663 13664 e3868f2 NtProtectVirtualMemory 13663->13664 13667 e38a5bf 13663->13667 13664->13667 13665 e38a6e1 13666 e38d382 ObtainUserAgentString 13665->13666 13668 e38a6e9 13666->13668 13669 e3868f2 NtProtectVirtualMemory 13667->13669 13670 e38a6b9 13667->13670 13668->13607 13669->13670 13670->13665 13671 e3868f2 NtProtectVirtualMemory 13670->13671 13671->13665 13673 e38a767 13672->13673 13674 e3868f2 NtProtectVirtualMemory 13673->13674 13679 e38a903 13673->13679 13675 e38a8e3 13674->13675 13676 e3868f2 NtProtectVirtualMemory 13675->13676 13676->13679 13677 e38a9b7 13678 e38d382 ObtainUserAgentString 13677->13678 13682 e38a9bf 13678->13682 13680 e3868f2 NtProtectVirtualMemory 13679->13680 13681 e38a992 13679->13681 13680->13681 13681->13677 13683 e3868f2 NtProtectVirtualMemory 13681->13683 13682->13607 13683->13677 13685 e386987 13684->13685 13688 e3869b2 13685->13688 13699 e387622 13685->13699 13687 e386c0c 13687->13616 13688->13687 13689 e386ba2 13688->13689 13691 e386ac5 13688->13691 13690 e392e12 NtProtectVirtualMemory 13689->13690 13698 e386b5b 13690->13698 13703 e392e12 13691->13703 13693 e392e12 NtProtectVirtualMemory 13693->13687 13694 e386ae3 13694->13687 13695 e386b3d 13694->13695 13696 e392e12 NtProtectVirtualMemory 13694->13696 13697 e392e12 NtProtectVirtualMemory 13695->13697 13696->13695 13697->13698 13698->13687 13698->13693 13700 e38767a 13699->13700 13701 e38767e 13700->13701 13702 e392e12 NtProtectVirtualMemory 13700->13702 13701->13688 13702->13700 13707 e391942 13703->13707 13705 e392e45 NtProtectVirtualMemory 13706 e392e70 13705->13706 13706->13694 13708 e391967 13707->13708 13708->13705 13710 e38d3c7 13709->13710 13713 e38d232 13710->13713 13712 e38d438 13712->13625 13714 e38d25e 13713->13714 13717 e38c8c2 13714->13717 13716 e38d26b 13716->13712 13718 e38c934 13717->13718 13719 e38c9a6 13718->13719 13720 e38c995 ObtainUserAgentString 13718->13720 13719->13716 13720->13719 13749 e38742e 13750 e38745b 13749->13750 13758 e3874c9 13749->13758 13751 e391232 NtCreateFile 13750->13751 13750->13758 13752 e387496 13751->13752 13753 e3874c5 13752->13753 13755 e387082 NtCreateFile 13752->13755 13754 e391232 NtCreateFile 13753->13754 13753->13758 13754->13758 13756 e3874b6 13755->13756 13756->13753 13757 e386f52 NtCreateFile 13756->13757 13757->13753 13848 e38bce2 13850 e38bdd9 13848->13850 13849 e38c022 13850->13849 13854 e38b352 13850->13854 13852 e38bf0d 13852->13849 13863 e38b792 13852->13863 13855 e38b39e 13854->13855 13856 e38b4ec 13855->13856 13858 e38b595 13855->13858 13862 e38b58e 13855->13862 13857 e391232 NtCreateFile 13856->13857 13860 e38b4ff 13857->13860 13859 e391232 NtCreateFile 13858->13859 13858->13862 13859->13862 13861 e391232 NtCreateFile 13860->13861 13860->13862 13861->13862 13862->13852 13864 e38b7e0 13863->13864 13865 e391232 NtCreateFile 13864->13865 13868 e38b90c 13865->13868 13866 e38baf3 13866->13852 13867 e38b352 NtCreateFile 13867->13868 13868->13866 13868->13867 13869 e38b602 NtCreateFile 13868->13869 13869->13868 13870 e38e2e4 13871 e38e36f 13870->13871 13872 e38e305 13870->13872 13872->13871 13873 e38e0c2 2 API calls 13872->13873 13873->13871 13896 e388b66 13898 e388b6a 13896->13898 13897 e388cce 13898->13897 13899 e388cb5 CreateMutexExW 13898->13899 13899->13897 13957 e389dd9 13958 e389df0 13957->13958 13959 e38d382 ObtainUserAgentString 13958->13959 13960 e389ecd 13958->13960 13959->13960 13494 e3862dd 13498 e38631a 13494->13498 13495 e3863fa 13496 e386328 SleepEx 13496->13496 13496->13498 13498->13495 13498->13496 13501 e390f12 13498->13501 13510 e387432 13498->13510 13520 e3860f2 13498->13520 13502 e390f48 13501->13502 13503 e3910e9 13502->13503 13508 e391134 13502->13508 13509 e391232 NtCreateFile 13502->13509 13526 e391f82 13502->13526 13504 e391125 13503->13504 13532 e390842 13503->13532 13540 e390922 13504->13540 13508->13498 13509->13502 13511 e38745b 13510->13511 13519 e3874c9 13510->13519 13512 e391232 NtCreateFile 13511->13512 13511->13519 13513 e387496 13512->13513 13514 e3874c5 13513->13514 13555 e387082 13513->13555 13515 e391232 NtCreateFile 13514->13515 13514->13519 13515->13519 13517 e3874b6 13517->13514 13564 e386f52 13517->13564 13519->13498 13521 e386109 13520->13521 13522 e3861d3 13520->13522 13569 e386012 13521->13569 13522->13498 13524 e386113 13524->13522 13525 e391f82 2 API calls 13524->13525 13525->13522 13527 e391fb8 13526->13527 13529 e392081 13527->13529 13531 e392022 13527->13531 13548 e38e5b2 13527->13548 13530 e392117 getaddrinfo 13529->13530 13529->13531 13530->13531 13531->13502 13533 e39086d 13532->13533 13551 e391232 13533->13551 13535 e390906 13535->13503 13536 e390888 13536->13535 13537 e391f82 2 API calls 13536->13537 13538 e3908c5 13536->13538 13537->13538 13538->13535 13539 e391232 NtCreateFile 13538->13539 13539->13535 13541 e3909c2 13540->13541 13542 e391232 NtCreateFile 13541->13542 13545 e3909d6 13542->13545 13543 e390a9f 13543->13508 13544 e390a5d 13544->13543 13546 e391232 NtCreateFile 13544->13546 13545->13543 13545->13544 13547 e391f82 2 API calls 13545->13547 13546->13543 13547->13544 13549 e38e60a socket 13548->13549 13550 e38e5ec 13548->13550 13549->13529 13550->13549 13553 e39125c 13551->13553 13554 e391334 13551->13554 13552 e391410 NtCreateFile 13552->13554 13553->13552 13553->13554 13554->13536 13556 e387420 13555->13556 13557 e3870aa 13555->13557 13556->13517 13557->13556 13558 e391232 NtCreateFile 13557->13558 13559 e3871f9 13558->13559 13560 e391232 NtCreateFile 13559->13560 13563 e3873df 13559->13563 13561 e3873c9 13560->13561 13562 e391232 NtCreateFile 13561->13562 13562->13563 13563->13517 13565 e386f70 13564->13565 13566 e386f84 13564->13566 13565->13514 13567 e391232 NtCreateFile 13566->13567 13568 e387046 13567->13568 13568->13514 13571 e386031 13569->13571 13570 e3860cd 13570->13524 13571->13570 13572 e391f82 2 API calls 13571->13572 13572->13570 13874 e389edd 13876 e389f06 13874->13876 13875 e389fa4 13876->13875 13877 e3868f2 NtProtectVirtualMemory 13876->13877 13878 e389f9c 13877->13878 13879 e38d382 ObtainUserAgentString 13878->13879 13879->13875 13759 e393a1f 13760 e393a25 13759->13760 13763 e3875f2 13760->13763 13762 e393a3d 13764 e3875fb 13763->13764 13765 e38760e 13763->13765 13764->13765 13767 e38c662 13764->13767 13765->13762 13768 e38c66b 13767->13768 13774 e38c7ba 13767->13774 13769 e3860f2 2 API calls 13768->13769 13768->13774 13771 e38c6ee 13769->13771 13770 e38c750 13773 e38c83f 13770->13773 13770->13774 13776 e38c791 13770->13776 13771->13770 13772 e391f82 2 API calls 13771->13772 13772->13770 13773->13774 13775 e391f82 2 API calls 13773->13775 13774->13765 13775->13774 13776->13774 13777 e391f82 2 API calls 13776->13777 13777->13774 13729 e392e12 13730 e391942 13729->13730 13731 e392e45 NtProtectVirtualMemory 13730->13731 13732 e392e70 13731->13732 13778 e387613 13780 e387620 13778->13780 13779 e38767e 13780->13779 13781 e392e12 NtProtectVirtualMemory 13780->13781 13781->13780 13880 e38bcd4 13882 e38bcd8 13880->13882 13881 e38c022 13882->13881 13883 e38b352 NtCreateFile 13882->13883 13884 e38bf0d 13883->13884 13884->13881 13885 e38b792 NtCreateFile 13884->13885 13885->13884 13900 e38b14a 13901 e38b153 13900->13901 13906 e38b174 13900->13906 13902 e38d382 ObtainUserAgentString 13901->13902 13904 e38b16c 13902->13904 13903 e38b1e7 13905 e3860f2 2 API calls 13904->13905 13905->13906 13906->13903 13908 e3861f2 13906->13908 13909 e38620f 13908->13909 13913 e3862c9 13908->13913 13910 e390f12 3 API calls 13909->13910 13912 e386242 13909->13912 13910->13912 13911 e386289 13911->13913 13914 e3860f2 2 API calls 13911->13914 13912->13911 13915 e387432 NtCreateFile 13912->13915 13913->13906 13914->13913 13915->13911 13782 e392e0a 13783 e392e45 NtProtectVirtualMemory 13782->13783 13784 e391942 13782->13784 13785 e392e70 13783->13785 13784->13783 13786 e393a4d 13787 e393a53 13786->13787 13790 e387782 13787->13790 13789 e393a6b 13791 e38778f 13790->13791 13792 e3877ad 13791->13792 13793 e38c662 2 API calls 13791->13793 13792->13789 13793->13792 13733 e391f82 13734 e391fb8 13733->13734 13735 e38e5b2 socket 13734->13735 13736 e392081 13734->13736 13738 e392022 13734->13738 13735->13736 13737 e392117 getaddrinfo 13736->13737 13736->13738 13737->13738

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0E391232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 291 e391232-e391256 292 e3918bd-e3918cd 291->292 293 e39125c-e391260 291->293 293->292 294 e391266-e3912a0 293->294 295 e3912bf 294->295 296 e3912a2-e3912a6 294->296 298 e3912c6 295->298 296->295 297 e3912a8-e3912ac 296->297 299 e3912ae-e3912b2 297->299 300 e3912b4-e3912b8 297->300 301 e3912cb-e3912cf 298->301 299->298 300->301 302 e3912ba-e3912bd 300->302 303 e3912f9-e39130b 301->303 304 e3912d1-e3912f7 call e391942 301->304 302->301 308 e391378 303->308 309 e39130d-e391332 303->309 304->303 304->308 312 e39137a-e3913a0 308->312 310 e3913a1-e3913a8 309->310 311 e391334-e39133b 309->311 315 e3913aa-e3913d3 call e391942 310->315 316 e3913d5-e3913dc 310->316 313 e39133d-e391360 call e391942 311->313 314 e391366-e391370 311->314 313->314 314->308 318 e391372-e391373 314->318 315->308 315->316 320 e3913de-e39140a call e391942 316->320 321 e391410-e391458 NtCreateFile call e391172 316->321 318->308 320->308 320->321 327 e39145d-e39145f 321->327 327->308 328 e391465-e39146d 327->328 328->308 329 e391473-e391476 328->329 330 e391478-e391481 329->330 331 e391486-e39148d 329->331 330->312 332 e39148f-e3914b8 call e391942 331->332 333 e3914c2-e3914ec 331->333 332->308 340 e3914be-e3914bf 332->340 338 e3918ae-e3918b8 333->338 339 e3914f2-e3914f5 333->339 338->308 341 e3914fb-e3914fe 339->341 342 e391604-e391611 339->342 340->333 343 e39155e-e391561 341->343 344 e391500-e391507 341->344 342->312 349 e391567-e391572 343->349 350 e391616-e391619 343->350 346 e391509-e391532 call e391942 344->346 347 e391538-e391559 344->347 346->308 346->347 354 e3915e9-e3915fa 347->354 355 e3915a3-e3915a6 349->355 356 e391574-e39159d call e391942 349->356 352 e3916b8-e3916bb 350->352 353 e39161f-e391626 350->353 357 e391739-e39173c 352->357 358 e3916bd-e3916c4 352->358 360 e391628-e391651 call e391942 353->360 361 e391657-e39166b call e392e92 353->361 354->342 355->308 363 e3915ac-e3915b6 355->363 356->308 356->355 367 e391742-e391749 357->367 368 e3917c4-e3917c7 357->368 364 e3916f5-e391734 358->364 365 e3916c6-e3916ef call e391942 358->365 360->308 360->361 361->308 383 e391671-e3916b3 361->383 363->308 371 e3915bc-e3915e6 363->371 388 e391894-e3918a9 364->388 365->338 365->364 375 e39174b-e391774 call e391942 367->375 376 e39177a-e3917bf 367->376 368->308 372 e3917cd-e3917d4 368->372 371->354 378 e3917fc-e391803 372->378 379 e3917d6-e3917f6 call e391942 372->379 375->338 375->376 376->388 386 e39182b-e391835 378->386 387 e391805-e391825 call e391942 378->387 379->378 383->312 386->338 392 e391837-e39183e 386->392 387->386 388->312 392->338 396 e391840-e391886 392->396 396->388
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: `
                                                                                                                                                                                                                      • API String ID: 823142352-2679148245
                                                                                                                                                                                                                      • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                      • Instruction ID: e97c1b4af2e109b49e6c031dc5d352bb03709aff0a25527ae9a7fbf0266d227a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 61225C70A19A0A9FCB59DF28C4946AEFBF1FB58301F41462ED45EE3650DB30E851DB81
                                                                                                                                                                                                                      Function 0E392E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 430 e392e12-e392e6e call e391942 NtProtectVirtualMemory 433 e392e7d-e392e8f 430->433 434 e392e70-e392e7c 430->434
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0E392E67
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2706961497-0
                                                                                                                                                                                                                      • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                      • Instruction ID: 1cc3c1410fd3cbafba75b7b091fcffdc1d7dd3af063c83e91968dfac0cd6f075
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50015234668B484F9B84EF6CA485126B7E4FBD9315F000B3EE59AC7254D764D5414742
                                                                                                                                                                                                                      Function 0E392E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 435 e392e0a-e392e38 436 e392e45-e392e6e NtProtectVirtualMemory 435->436 437 e392e40 call e391942 435->437 438 e392e7d-e392e8f 436->438 439 e392e70-e392e7c 436->439 437->436
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0E392E67
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2706961497-0
                                                                                                                                                                                                                      • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                      • Instruction ID: 54d196e4b393dc558187664f93aa907fb4c725d3f130791a1699c2651bcc00d2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 56016234628B884B8B48EB7C94552A6B7E5FBCE314F400B7EE99AC3251DB65D9024782
                                                                                                                                                                                                                      Function 0E391F82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 e391f82-e391fb6 1 e391fb8-e391fbc 0->1 2 e391fd6-e391fd9 0->2 1->2 3 e391fbe-e391fc2 1->3 4 e391fdf-e391fed 2->4 5 e3928fe-e39290c 2->5 3->2 6 e391fc4-e391fc8 3->6 7 e391ff3-e391ff7 4->7 8 e3928f6-e3928f7 4->8 6->2 9 e391fca-e391fce 6->9 10 e391ff9-e391ffd 7->10 11 e391fff-e392000 7->11 8->5 9->2 12 e391fd0-e391fd4 9->12 10->11 13 e39200a-e392010 10->13 11->13 12->2 12->4 14 e39203a-e392060 13->14 15 e392012-e392020 13->15 16 e392068-e39207c call e38e5b2 14->16 17 e392062-e392066 14->17 15->14 18 e392022-e392026 15->18 22 e392081-e3920a2 16->22 17->16 20 e3920a8-e3920ab 17->20 18->8 19 e39202c-e392035 18->19 19->8 23 e3920b1-e3920b8 20->23 24 e392144-e392150 20->24 22->20 25 e3928ee-e3928ef 22->25 27 e3920ba-e3920dc call e391942 23->27 28 e3920e2-e3920f5 23->28 24->25 26 e392156-e392165 24->26 25->8 29 e39217f-e39218f 26->29 30 e392167-e392178 call e38e552 26->30 27->28 28->25 32 e3920fb-e392101 28->32 34 e392191-e3921da call e38e732 29->34 35 e3921e5-e39221b 29->35 30->29 32->25 37 e392107-e392109 32->37 34->35 49 e3921dc-e3921e1 34->49 40 e39222d-e392231 35->40 41 e39221d-e39222b 35->41 37->25 42 e39210f-e392111 37->42 45 e392233-e392245 40->45 46 e392247-e39224b 40->46 44 e39227f-e392280 41->44 42->25 47 e392117-e392132 getaddrinfo 42->47 48 e392283-e3922e0 call e392d62 call e38f482 call e38ee72 call e393002 44->48 45->44 50 e39224d-e39225f 46->50 51 e392261-e392265 46->51 47->24 52 e392134-e39213c 47->52 63 e3922e2-e3922e6 48->63 64 e3922f4-e392354 call e392d92 48->64 49->35 50->44 53 e39226d-e392279 51->53 54 e392267-e39226b 51->54 52->24 53->44 54->48 54->53 63->64 66 e3922e8-e3922ef call e38f042 63->66 69 e39235a-e392396 call e392d62 call e393262 call e393002 64->69 70 e39248c-e3924b8 call e392d62 call e393262 64->70 66->64 85 e392398-e3923b7 call e393262 call e393002 69->85 86 e3923bb-e3923e9 call e393262 * 2 69->86 79 e3924d9-e392590 call e393262 * 3 call e393002 * 2 call e38f482 70->79 80 e3924ba-e3924d5 70->80 112 e392595-e3925b9 call e393262 79->112 80->79 85->86 100 e3923eb-e392410 call e393002 call e393262 86->100 101 e392415-e39241d 86->101 100->101 105 e39241f-e392425 101->105 106 e392442-e392448 101->106 109 e392467-e392487 call e393262 105->109 110 e392427-e39243d 105->110 111 e39244e-e392456 106->111 106->112 109->112 110->112 111->112 116 e39245c-e39245d 111->116 121 e3925bb-e3925cc call e393262 call e393002 112->121 122 e3925d1-e3926ad call e393262 * 7 call e393002 call e392d62 call e393002 call e38ee72 call e38f042 112->122 116->109 133 e3926af-e3926b3 121->133 122->133 135 e3926ff-e39272d call e38e6b2 133->135 136 e3926b5-e3926fa call e38e382 call e38e7b2 133->136 143 e39275d-e392761 135->143 144 e39272f-e392735 135->144 158 e3928e6-e3928e7 136->158 148 e39290d-e392913 143->148 149 e392767-e39276b 143->149 144->143 147 e392737-e39274c 144->147 147->143 152 e39274e-e392754 147->152 153 e392779-e392784 148->153 154 e392919-e392920 148->154 155 e3928aa-e3928df call e38e7b2 149->155 156 e392771-e392773 149->156 152->143 160 e392756 152->160 161 e392786-e392793 153->161 162 e392795-e392796 153->162 154->161 155->158 156->153 156->155 158->25 160->143 161->162 165 e39279c-e3927a0 161->165 162->165 167 e3927b1-e3927b2 165->167 168 e3927a2-e3927af 165->168 170 e3927b8-e3927c4 167->170 168->167 168->170 173 e3927f4-e392861 170->173 174 e3927c6-e3927ef call e392d92 call e392d62 170->174 185 e3928a3-e3928a4 173->185 186 e392863 173->186 174->173 185->155 186->185 188 e392865-e39286a 186->188 188->185 190 e39286c-e392872 188->190 190->185 192 e392874-e3928a1 190->192 192->185 192->186
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: getaddrinfo
                                                                                                                                                                                                                      • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                                                                      • API String ID: 300660673-1117930895
                                                                                                                                                                                                                      • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                      • Instruction ID: 24aa772bd8a037aab810d81b8b1e7c7688e97fefc97ec651b3457c546016e707
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA529F30618B089BCB29EF68D4947EABBE1FB54300F504A2EC49FD7156DF34A949DB81
                                                                                                                                                                                                                      Function 0E38C8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ObtainUserAgentString.URLMON ref: 0E38C9A0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction ID: 09e8bb4faac1cb892b6302a825e801d08d045e5202bcbf7316344b6a3aef34a0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B631DF71614A1C8BCF04FFA8D8847EEBBE0FB58204F40062AD45ED7250DF788A45C799
                                                                                                                                                                                                                      Function 0E38C8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ObtainUserAgentString.URLMON ref: 0E38C9A0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction ID: c3e0f8cb4b59bc8baf1cdd48b7aca3b8438be48522be60a255a70d2ace302ba1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6121CE70A10A1C8ACF04FFA8C8847EEBFE4FF58204F40466AD45AD7250DF748A45CB9A
                                                                                                                                                                                                                      Function 0E388B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 234 e388b66-e388b68 235 e388b6a-e388b71 234->235 236 e388b93-e388bb8 234->236 238 e388bbb-e388c22 call e38f612 call e391942 * 2 235->238 239 e388b73-e388b92 235->239 236->238 246 e388c28-e388c2b 238->246 247 e388cdc 238->247 239->236 246->247 248 e388c31-e388cb0 call e393da4 call e393022 call e3933e2 call e393022 call e3933e2 246->248 249 e388cde-e388cf6 247->249 261 e388cb5-e388cca CreateMutexExW 248->261 262 e388cce-e388cd3 261->262 262->247 263 e388cd5-e388cda 262->263 263->249
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateMutex
                                                                                                                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                      • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                      • Instruction ID: ab8cf822897224b03a4e1ad26e92bed9fc564187d6575fe4ee94efddd1359f70
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 37413C70918A088FDB54FFA8C8947ADBBF0FB98300F44466AD84ADB255DE349945CB85
                                                                                                                                                                                                                      Function 0E388B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateMutex
                                                                                                                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                      • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                      • Instruction ID: 89b3cfe6e504dcd5c7649dec546fd3c0d55344da0a7d32ea81b8771c8c6c2a88
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65412B70918A088FDF94EFA8C4987ADBBF0FB58300F44457AC84EDB255DE309945CB85
                                                                                                                                                                                                                      Function 0E38E5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 399 e38e5b2-e38e5ea 400 e38e60a-e38e62b socket 399->400 401 e38e5ec-e38e604 call e391942 399->401 401->400
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: socket
                                                                                                                                                                                                                      • String ID: sock
                                                                                                                                                                                                                      • API String ID: 98920635-2415254727
                                                                                                                                                                                                                      • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                      • Instruction ID: 17e8eb04ae300d5a4f7d453a50dc0aa84450e91c15562b791a1f0390c43d4d89
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 370121706186188FCB84EF1CE048B54BBE0FB59314F1545ADD45EDB266C7B0C9818B86
                                                                                                                                                                                                                      Function 0E3862DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 404 e3862dd-e386320 call e391942 407 e3863fa-e38640e 404->407 408 e386326 404->408 409 e386328-e386339 SleepEx 408->409 409->409 410 e38633b-e386341 409->410 411 e38634b-e386352 410->411 412 e386343-e386349 410->412 414 e386370-e386376 411->414 415 e386354-e38635a 411->415 412->411 413 e38635c-e38636a call e390f12 412->413 413->414 417 e386378-e38637e 414->417 418 e3863b7-e3863bd 414->418 415->413 415->414 417->418 420 e386380-e38638a 417->420 421 e3863bf-e3863cf call e386e72 418->421 422 e3863d4-e3863db 418->422 420->418 423 e38638c-e3863b1 call e387432 420->423 421->422 422->409 425 e3863e1-e3863f5 call e3860f2 422->425 423->418 425->409
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                                                                                                      • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                      • Instruction ID: fedf81c2bb93b9c76b7a7282a25bc31a3ccb393e0179c7d0f2113fc3f1791bcd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8318BB0614B09DFCB64EF2981892A5BBA1FB64300F44467EC92DCB216CBB09854CFD1
                                                                                                                                                                                                                      Function 0E386412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 440 e386412-e386446 call e391942 443 e386448-e386472 call e393c9e CreateThread 440->443 444 e386473-e38647d 440->444
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573941205.000000000E2B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2B0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2b0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                      • Instruction ID: ebf09b20f8fa143c0970251f06f8bad4091dfa47a6f6c609c319001204c4c6d2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30F0C230268A494FDB88EB2CD44562AB7E0EBA8214F454A3EA54DC3264DA29C9814756

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 0E1F8D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                                                      • API String ID: 0-393284711
                                                                                                                                                                                                                      • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction ID: 0a6dd7a8d542f9f406023c5e1ff7383fedd635e0626232455a2969096d0de042
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1E16C74628F488FC764EF68C494BAAB7E0FB58300F504A2E959FC7291DF70A945CB85
                                                                                                                                                                                                                      Function 0E1FB792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                                                      • API String ID: 0-2916316912
                                                                                                                                                                                                                      • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction ID: ca1f5370cb0572a6978b7b11a38ba73b902843861a18d96fdcd951999aa51f23
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B3B16D30528B488FDB55EF68C489AEEB7F1FF98300F50491ED49AC7292DF7099458B85
                                                                                                                                                                                                                      Function 0E1F9622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                                                      • API String ID: 0-1539916866
                                                                                                                                                                                                                      • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction ID: 9199d6ee5b6c3d91900f547c70caf63de9fab430425cd01e30c2b20a6483e419
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C541CF70A18B08CFDB14EF98A8457BE7BE2FB88700F00025ED909D3245DBB59D858BD6
                                                                                                                                                                                                                      Function 0E200AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                                                      • API String ID: 0-355182820
                                                                                                                                                                                                                      • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction ID: 3ec2be5a4781b48fa8956ad01441582d7170d2c40fede93e4b3fd4573c218d9e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39C17D74228B098FC758EF24C499ADAF3E1FB94304F404B2E959AC7291DF70A955CBC6
                                                                                                                                                                                                                      Function 0E200F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                                                      • API String ID: 0-97273177
                                                                                                                                                                                                                      • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction ID: bda90620763e68c71fba60b3feff0fbbed3ac47735d31fb97e425a35adadb590
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE51D6315287488FD719DF18C8856AAB7E5FBC5700F50192EE8CBC7292DBB49906CB82
                                                                                                                                                                                                                      Function 0E1FA2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction ID: 1dcbe6b76ab7ef07c5d51feaa5d31fa9a871594fefaf707083f8d4f4ffac9488
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CAC19F71628A198FCB58EB68D455AAAB3E1FF98300F54472DD50EC7291DF30EA428BC5
                                                                                                                                                                                                                      Function 0E1FA2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction ID: fc99ff1b7ff1893503fcba5734cd1d9963e27055801fa31aaee502a795553f79
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7C19071628A198FCB58EF68D495AAAB3E1FF98300F54472DD50EC7291DF30E9428BC5
                                                                                                                                                                                                                      Function 0E1FBCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction ID: 2970cdf837ad91da327701b243cc9605b4b8be1e56859299dfcb234852ebcdc8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EA180706287488BDB19EF68D444BEEB7E1FF88310F404A2DD58AD7292EF7099458789
                                                                                                                                                                                                                      Function 0E1FBCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction ID: 5f934a4e0bc09cfdd68b4c4ac6f840b365d38f9d731f8a1ad185a0c216ee1ea3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D591707061874C8FDB19EFA8D444BEEB7E1FB98300F404A2DE54AD7292EF7099458789
                                                                                                                                                                                                                      Function 0E1FB352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $.$e$n$v
                                                                                                                                                                                                                      • API String ID: 0-1849617553
                                                                                                                                                                                                                      • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction ID: d8dd65e1dbf3fbcb941cdb56e04c574bf7b4045f67fdd4f5c58c2a74046e528b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4719275618B488FD758EFA8C4887AAB7F1FF58304F000A2ED44AC72A1EB75DD458B81
                                                                                                                                                                                                                      Function 0E1F6C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                                                      • API String ID: 0-1970020201
                                                                                                                                                                                                                      • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction ID: 38763cd6af7c709e8d2d16f8d1074721bfa7a92ec0f289f3338234cc70b4952d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92517DB0918B0C8FCB54EFA4C045AEEB7F1FF58300F404A2E989AE7254EF7095418B89
                                                                                                                                                                                                                      Function 0E1F786F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                                                      • API String ID: 0-1610437797
                                                                                                                                                                                                                      • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction ID: 78ebb4bc2fe9690f7ea41083870215ae577ba146637effddc103ed727abe9223
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A3419F34228B4C8BDB64EF2498457EA73E4FF98301F554A2E994EC7281EF70D9458BC2
                                                                                                                                                                                                                      Function 0E1F94B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                                                      • API String ID: 0-327345718
                                                                                                                                                                                                                      • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction ID: c779e4718f3dfd7db2575bbde88eb58f4c600688c5671e833b6796b88e9b2779
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87415E70A18E0DCFCB54EFA880A47AD73E1FB98315F50456AD90ED7260DB71C9818BC6
                                                                                                                                                                                                                      Function 0E1F7432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$el32$h$kern
                                                                                                                                                                                                                      • API String ID: 0-4264704552
                                                                                                                                                                                                                      • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction ID: 9ba944912ab0d9f3b055600d0c91f62d65979ff6a5688c529e4a23d70374e44b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21417270618B488FD769DF2884943BAB7E1FB98301F144A6FD59EC32A5DB70C985CB81
                                                                                                                                                                                                                      Function 0E1FE0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction ID: 5c9bd974272e6ba79f1c2d873b6754e6a94b4ccb7c6000824167d53f367e5647
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E31A57551DB889FD71ADB28C4886DAB7D4FB94300F504D1EE49BC7292EE30A94ACB43
                                                                                                                                                                                                                      Function 0E1FE0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction ID: 0af0ec21807613ff48dad94fc90015442bd9f3a91051d6d46ac346d90e637c47
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C31C47151CB48AFD719DB28C4886EAB7D5FB94300F504D1EE49BC7292EE30A946CA83
                                                                                                                                                                                                                      Function 0E1F9FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction ID: c6685c4720be3a0a8396f92eec54561a06870a792b8b42a9c3c611db2156faea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30316D71118B488FCB84EF689494BAAB7E1FF98200F940A3DD54ECB255DF30D9858792
                                                                                                                                                                                                                      Function 0E1F9FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction ID: c910502b11b84c927138aeb484c40f40ca2b80f694624e15b573dc041b530cfc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD315E71118B488FCB84EF689494BAAB7E1FF98300F944A3DD54ECB295DF30C9858792
                                                                                                                                                                                                                      Function 0E1FC8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction ID: e9e7faf72a9632ce5a3f12e07fc5280df1ce10b5223f9909a92945eead9afcf0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7231B171614A0C8BCB44EFA8C8887EDBBE5FB58214F40462AD45ED7291DF748A45C789
                                                                                                                                                                                                                      Function 0E1FC8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction ID: a92520c03d0fef94c6be42d3f2ab83da8ae95c17b48e1e2862db87bf56ce7089
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8621E471620A0C8BCB04EFA8C8887EDBBE5FF58304F40462AD45AD7291DF748A45C7C9
                                                                                                                                                                                                                      Function 0E1FDE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction ID: 7c5a2a3425eccd3b980b73c5918f506e80dd1f5a901f5a1bfe4a2e17d8d222db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B219C74A24A0D9BDB08EFA8D4447EDBBF1FF18304F504A2ED009D3681DB749991CB84
                                                                                                                                                                                                                      Function 0E1FDE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction ID: 5a04069b340719be5055be2921c8314661765b4658c483a9deb7898ae1769c08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E217A74A24A0D9BDB48EFA8D4447AEBBF1FB18304F504A2ED009D3691DB7499918B84
                                                                                                                                                                                                                      Function 0E1FDFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4573805143.000000000E130000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E130000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e130000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: auth$logi$pass$user
                                                                                                                                                                                                                      • API String ID: 0-2393853802
                                                                                                                                                                                                                      • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction ID: 976d894c388e89801705e3d9f280232502e4971909a4943f4e8591e18b99c5d7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2B21CD70724B0D8BCB05DF9998907EEB7E1EF88354F004A1AE40AEB295D7B0DD548BC2

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.7%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:623
                                                                                                                                                                                                                      Total number of Limit Nodes:67
                                                                                                                                                                                                                      execution_graph 108509 3329050 108520 332bd10 108509->108520 108511 332908b 108512 332916c 108511->108512 108523 331acf0 108511->108523 108514 33290c1 108528 3324e50 108514->108528 108516 33290f0 Sleep 108517 33290dd 108516->108517 108517->108512 108517->108516 108533 3328c70 LdrLoadDll 108517->108533 108534 3328e80 LdrLoadDll 108517->108534 108535 332a510 108520->108535 108525 331ad14 108523->108525 108524 331ad1b 108524->108514 108525->108524 108526 331ad67 108525->108526 108527 331ad5d LdrLoadDll 108525->108527 108526->108514 108527->108526 108529 3324e6a 108528->108529 108530 3324e5e 108528->108530 108529->108517 108530->108529 108542 33252d0 LdrLoadDll 108530->108542 108532 3324fbc 108532->108517 108533->108517 108534->108517 108538 332af30 108535->108538 108537 332a52c 108537->108511 108539 332af40 108538->108539 108540 332af62 108538->108540 108541 3324e50 LdrLoadDll 108539->108541 108540->108537 108541->108540 108542->108532 108543 3c82ad0 LdrInitializeThunk 108546 3afcb84 108549 3afa042 108546->108549 108548 3afcba5 108551 3afa06b 108549->108551 108550 3afa56c 108550->108548 108551->108550 108552 3afa182 NtQueryInformationProcess 108551->108552 108554 3afa1ba 108552->108554 108553 3afa1ef 108553->108548 108554->108553 108555 3afa2db 108554->108555 108556 3afa290 108554->108556 108557 3afa2fc NtSuspendThread 108555->108557 108578 3af9de2 NtCreateSection NtMapViewOfSection NtClose 108556->108578 108559 3afa30d 108557->108559 108561 3afa331 108557->108561 108559->108548 108560 3afa2cf 108560->108548 108564 3afa412 108561->108564 108569 3af9bb2 108561->108569 108563 3afa531 108566 3afa552 NtResumeThread 108563->108566 108564->108563 108565 3afa4a6 NtSetContextThread 108564->108565 108567 3afa4bd 108565->108567 108566->108550 108567->108563 108568 3afa51c NtQueueApcThread 108567->108568 108568->108563 108570 3af9bf7 108569->108570 108571 3af9c66 NtCreateSection 108570->108571 108572 3af9d4e 108571->108572 108573 3af9ca0 108571->108573 108572->108564 108574 3af9cc1 NtMapViewOfSection 108573->108574 108574->108572 108575 3af9d0c 108574->108575 108575->108572 108576 3af9d88 108575->108576 108577 3af9dc5 NtClose 108576->108577 108577->108564 108578->108560 108579 332f0fd 108582 332b9a0 108579->108582 108583 332b9c6 108582->108583 108590 3319d40 108583->108590 108585 332b9d2 108586 332b9f6 108585->108586 108598 3318f30 108585->108598 108636 332a680 108586->108636 108639 3319c90 108590->108639 108592 3319d4d 108593 3319d54 108592->108593 108651 3319c30 108592->108651 108593->108585 108599 3318f57 108598->108599 109050 331b1c0 108599->109050 108601 3318f69 109054 331af10 108601->109054 108603 3318f86 108610 3318f8d 108603->108610 109125 331ae40 LdrLoadDll 108603->109125 108605 33190f2 108605->108586 108607 3318ffc 109070 331f410 108607->109070 108609 3319006 108609->108605 108611 332bf60 2 API calls 108609->108611 108610->108605 109058 331f380 108610->109058 108612 331902a 108611->108612 108613 332bf60 2 API calls 108612->108613 108614 331903b 108613->108614 108615 332bf60 2 API calls 108614->108615 108616 331904c 108615->108616 109082 331ca90 108616->109082 108618 3319059 108619 3324a50 8 API calls 108618->108619 108620 3319066 108619->108620 108621 3324a50 8 API calls 108620->108621 108622 3319077 108621->108622 108623 33190a5 108622->108623 108624 3319084 108622->108624 108625 3324a50 8 API calls 108623->108625 109092 331d620 108624->109092 108632 33190c1 108625->108632 108628 33190e9 108630 3318d00 21 API calls 108628->108630 108630->108605 108631 3319092 109108 3318d00 108631->109108 108632->108628 109126 331d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 108632->109126 108637 332af30 LdrLoadDll 108636->108637 108638 332a69f 108637->108638 108670 3328b90 108639->108670 108643 3319cb6 108643->108592 108644 3319cac 108644->108643 108677 332b280 108644->108677 108646 3319cf3 108646->108643 108688 3319ab0 108646->108688 108648 3319d13 108694 3319620 LdrLoadDll 108648->108694 108650 3319d25 108650->108592 109029 332b570 108651->109029 108654 332b570 LdrLoadDll 108655 3319c5b 108654->108655 108656 332b570 LdrLoadDll 108655->108656 108657 3319c71 108656->108657 108658 331f180 108657->108658 108659 331f199 108658->108659 109033 331b040 108659->109033 108661 331f1ac 108663 331f1bb 108661->108663 109045 332a1b0 108661->109045 108664 3319d65 108663->108664 109037 332a7a0 108663->109037 108664->108585 108666 331f1d2 108667 331f1fd 108666->108667 109040 332a230 108666->109040 108668 332a460 2 API calls 108667->108668 108668->108664 108671 3328b9f 108670->108671 108672 3324e50 LdrLoadDll 108671->108672 108673 3319ca3 108672->108673 108674 3328a40 108673->108674 108695 332a5d0 108674->108695 108678 332b299 108677->108678 108698 3324a50 108678->108698 108680 332b2b1 108681 332b2ba 108680->108681 108737 332b0c0 108680->108737 108681->108646 108683 332b2ce 108683->108681 108755 3329ed0 108683->108755 109007 3317ea0 108688->109007 108690 3319ad1 108690->108648 108691 3319aca 108691->108690 109020 3318160 108691->109020 108694->108650 108696 332af30 LdrLoadDll 108695->108696 108697 3328a55 108696->108697 108697->108644 108699 3324d85 108698->108699 108709 3324a64 108698->108709 108699->108680 108702 3324b7d 108702->108680 108703 3324b73 108823 332a430 LdrLoadDll 108703->108823 108704 3324b90 108766 332a330 108704->108766 108707 3324bb7 108708 332bd90 2 API calls 108707->108708 108711 3324bc3 108708->108711 108709->108699 108763 3329c20 108709->108763 108710 3324d49 108713 332a460 2 API calls 108710->108713 108711->108702 108711->108710 108712 3324d5f 108711->108712 108717 3324c52 108711->108717 108832 3324790 LdrLoadDll NtReadFile NtClose 108712->108832 108714 3324d50 108713->108714 108714->108680 108716 3324d72 108716->108680 108718 3324cb9 108717->108718 108720 3324c61 108717->108720 108718->108710 108719 3324ccc 108718->108719 108825 332a2b0 108719->108825 108722 3324c66 108720->108722 108723 3324c7a 108720->108723 108824 3324650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 108722->108824 108724 3324c97 108723->108724 108725 3324c7f 108723->108725 108724->108714 108781 3324410 108724->108781 108769 33246f0 108725->108769 108728 3324c70 108728->108680 108731 3324c8d 108731->108680 108733 3324d2c 108829 332a460 108733->108829 108735 3324caf 108735->108680 108736 3324d38 108736->108680 108739 332b0d1 108737->108739 108738 332b0e3 108738->108683 108739->108738 108740 332bd10 LdrLoadDll 108739->108740 108741 332b104 108740->108741 108850 3324070 108741->108850 108743 332b150 108743->108683 108744 332b127 108744->108743 108745 3324070 3 API calls 108744->108745 108748 332b149 108745->108748 108747 332b1da 108750 332b1ea 108747->108750 108976 332aed0 LdrLoadDll 108747->108976 108748->108743 108882 3325390 108748->108882 108892 332ad40 108750->108892 108752 332b218 108971 3329e90 108752->108971 108754 332b242 108754->108683 108754->108754 108756 332af30 LdrLoadDll 108755->108756 108757 3329eec 108756->108757 108758 3329f07 108757->108758 109001 3c82c0a 108757->109001 108760 332bd90 108758->108760 109004 332a640 108760->109004 108762 332b329 108762->108646 108764 332af30 LdrLoadDll 108763->108764 108765 3324b44 108764->108765 108765->108702 108765->108703 108765->108704 108767 332af30 LdrLoadDll 108766->108767 108768 332a34c NtCreateFile 108767->108768 108768->108707 108770 332470c 108769->108770 108771 332a2b0 LdrLoadDll 108770->108771 108772 332472d 108771->108772 108773 3324734 108772->108773 108774 3324748 108772->108774 108776 332a460 2 API calls 108773->108776 108775 332a460 2 API calls 108774->108775 108777 3324751 108775->108777 108778 332473d 108776->108778 108833 332bfa0 LdrLoadDll RtlAllocateHeap 108777->108833 108778->108731 108780 332475c 108780->108731 108782 332445b 108781->108782 108783 332448e 108781->108783 108784 332a2b0 LdrLoadDll 108782->108784 108785 33245d9 108783->108785 108789 33244aa 108783->108789 108786 3324476 108784->108786 108787 332a2b0 LdrLoadDll 108785->108787 108788 332a460 2 API calls 108786->108788 108793 33245f4 108787->108793 108790 332447f 108788->108790 108791 332a2b0 LdrLoadDll 108789->108791 108790->108735 108792 33244c5 108791->108792 108795 33244e1 108792->108795 108796 33244cc 108792->108796 108846 332a2f0 LdrLoadDll 108793->108846 108799 33244e6 108795->108799 108800 33244fc 108795->108800 108798 332a460 2 API calls 108796->108798 108797 332462e 108801 332a460 2 API calls 108797->108801 108802 33244d5 108798->108802 108803 332a460 2 API calls 108799->108803 108808 3324501 108800->108808 108834 332bf60 108800->108834 108805 3324639 108801->108805 108802->108735 108804 33244ef 108803->108804 108804->108735 108805->108735 108816 3324513 108808->108816 108837 332a3e0 108808->108837 108809 3324567 108810 332457e 108809->108810 108845 332a270 LdrLoadDll 108809->108845 108811 3324585 108810->108811 108812 332459a 108810->108812 108814 332a460 2 API calls 108811->108814 108815 332a460 2 API calls 108812->108815 108814->108816 108817 33245a3 108815->108817 108816->108735 108818 33245cf 108817->108818 108840 332bb60 108817->108840 108818->108735 108820 33245ba 108821 332bd90 2 API calls 108820->108821 108822 33245c3 108821->108822 108822->108735 108823->108702 108824->108728 108826 332af30 LdrLoadDll 108825->108826 108827 3324d14 108826->108827 108828 332a2f0 LdrLoadDll 108827->108828 108828->108733 108830 332af30 LdrLoadDll 108829->108830 108831 332a47c NtClose 108830->108831 108831->108736 108832->108716 108833->108780 108847 332a600 108834->108847 108836 332bf78 108836->108808 108838 332af30 LdrLoadDll 108837->108838 108839 332a3fc NtReadFile 108838->108839 108839->108809 108841 332bb84 108840->108841 108842 332bb6d 108840->108842 108841->108820 108842->108841 108843 332bf60 2 API calls 108842->108843 108844 332bb9b 108843->108844 108844->108820 108845->108810 108846->108797 108848 332af30 LdrLoadDll 108847->108848 108849 332a61c RtlAllocateHeap 108848->108849 108849->108836 108851 3324081 108850->108851 108852 3324089 108850->108852 108851->108744 108881 332435c 108852->108881 108977 332cf00 108852->108977 108854 33240dd 108855 332cf00 2 API calls 108854->108855 108859 33240e8 108855->108859 108856 3324136 108858 332cf00 2 API calls 108856->108858 108862 332414a 108858->108862 108859->108856 108982 332cfa0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 108859->108982 108983 332d030 108859->108983 108861 33241a7 108863 332cf00 2 API calls 108861->108863 108862->108861 108864 332d030 3 API calls 108862->108864 108865 33241bd 108863->108865 108864->108862 108866 33241fa 108865->108866 108868 332d030 3 API calls 108865->108868 108867 332cf00 2 API calls 108866->108867 108869 3324205 108867->108869 108868->108865 108870 332423f 108869->108870 108871 332d030 3 API calls 108869->108871 108989 332cf60 LdrLoadDll RtlFreeHeap 108870->108989 108871->108869 108873 3324334 108990 332cf60 LdrLoadDll RtlFreeHeap 108873->108990 108875 332433e 108991 332cf60 LdrLoadDll RtlFreeHeap 108875->108991 108877 3324348 108992 332cf60 LdrLoadDll RtlFreeHeap 108877->108992 108879 3324352 108993 332cf60 LdrLoadDll RtlFreeHeap 108879->108993 108881->108744 108883 33253a1 108882->108883 108884 3324a50 8 API calls 108883->108884 108886 33253b7 108884->108886 108885 332540a 108885->108747 108886->108885 108887 33253f2 108886->108887 108888 3325405 108886->108888 108889 332bd90 2 API calls 108887->108889 108890 332bd90 2 API calls 108888->108890 108891 33253f7 108889->108891 108890->108885 108891->108747 108994 332ac00 108892->108994 108895 332ac00 LdrLoadDll 108896 332ad5d 108895->108896 108897 332ac00 LdrLoadDll 108896->108897 108898 332ad66 108897->108898 108899 332ac00 LdrLoadDll 108898->108899 108900 332ad6f 108899->108900 108901 332ac00 LdrLoadDll 108900->108901 108902 332ad78 108901->108902 108903 332ac00 LdrLoadDll 108902->108903 108904 332ad81 108903->108904 108905 332ac00 LdrLoadDll 108904->108905 108906 332ad8d 108905->108906 108907 332ac00 LdrLoadDll 108906->108907 108908 332ad96 108907->108908 108909 332ac00 LdrLoadDll 108908->108909 108910 332ad9f 108909->108910 108911 332ac00 LdrLoadDll 108910->108911 108912 332ada8 108911->108912 108913 332ac00 LdrLoadDll 108912->108913 108914 332adb1 108913->108914 108915 332ac00 LdrLoadDll 108914->108915 108916 332adba 108915->108916 108917 332ac00 LdrLoadDll 108916->108917 108918 332adc6 108917->108918 108919 332ac00 LdrLoadDll 108918->108919 108920 332adcf 108919->108920 108921 332ac00 LdrLoadDll 108920->108921 108922 332add8 108921->108922 108923 332ac00 LdrLoadDll 108922->108923 108924 332ade1 108923->108924 108925 332ac00 LdrLoadDll 108924->108925 108926 332adea 108925->108926 108927 332ac00 LdrLoadDll 108926->108927 108928 332adf3 108927->108928 108929 332ac00 LdrLoadDll 108928->108929 108930 332adff 108929->108930 108931 332ac00 LdrLoadDll 108930->108931 108932 332ae08 108931->108932 108933 332ac00 LdrLoadDll 108932->108933 108934 332ae11 108933->108934 108935 332ac00 LdrLoadDll 108934->108935 108936 332ae1a 108935->108936 108937 332ac00 LdrLoadDll 108936->108937 108938 332ae23 108937->108938 108939 332ac00 LdrLoadDll 108938->108939 108940 332ae2c 108939->108940 108941 332ac00 LdrLoadDll 108940->108941 108942 332ae38 108941->108942 108943 332ac00 LdrLoadDll 108942->108943 108944 332ae41 108943->108944 108945 332ac00 LdrLoadDll 108944->108945 108946 332ae4a 108945->108946 108947 332ac00 LdrLoadDll 108946->108947 108948 332ae53 108947->108948 108949 332ac00 LdrLoadDll 108948->108949 108950 332ae5c 108949->108950 108951 332ac00 LdrLoadDll 108950->108951 108952 332ae65 108951->108952 108953 332ac00 LdrLoadDll 108952->108953 108954 332ae71 108953->108954 108955 332ac00 LdrLoadDll 108954->108955 108956 332ae7a 108955->108956 108957 332ac00 LdrLoadDll 108956->108957 108958 332ae83 108957->108958 108959 332ac00 LdrLoadDll 108958->108959 108960 332ae8c 108959->108960 108961 332ac00 LdrLoadDll 108960->108961 108962 332ae95 108961->108962 108963 332ac00 LdrLoadDll 108962->108963 108964 332ae9e 108963->108964 108965 332ac00 LdrLoadDll 108964->108965 108966 332aeaa 108965->108966 108967 332ac00 LdrLoadDll 108966->108967 108968 332aeb3 108967->108968 108969 332ac00 LdrLoadDll 108968->108969 108970 332aebc 108969->108970 108970->108752 108972 332af30 LdrLoadDll 108971->108972 108973 3329eac 108972->108973 109000 3c82df0 LdrInitializeThunk 108973->109000 108974 3329ec3 108974->108754 108976->108750 108978 332cf10 108977->108978 108979 332cf16 108977->108979 108978->108854 108980 332bf60 2 API calls 108979->108980 108981 332cf3c 108980->108981 108981->108854 108982->108859 108984 332cfa0 108983->108984 108985 332bf60 2 API calls 108984->108985 108988 332cffd 108984->108988 108986 332cfda 108985->108986 108987 332bd90 2 API calls 108986->108987 108987->108988 108988->108859 108989->108873 108990->108875 108991->108877 108992->108879 108993->108881 108995 332ac1b 108994->108995 108996 3324e50 LdrLoadDll 108995->108996 108997 332ac3b 108996->108997 108998 3324e50 LdrLoadDll 108997->108998 108999 332ace7 108997->108999 108998->108999 108999->108895 109000->108974 109002 3c82c1f LdrInitializeThunk 109001->109002 109003 3c82c11 109001->109003 109002->108758 109003->108758 109005 332a65c RtlFreeHeap 109004->109005 109006 332af30 LdrLoadDll 109004->109006 109005->108762 109006->109005 109008 3317eb0 109007->109008 109009 3317eab 109007->109009 109010 332bd10 LdrLoadDll 109008->109010 109009->108691 109019 3317ed5 109010->109019 109011 3317f38 109011->108691 109012 3329e90 2 API calls 109012->109019 109013 3317f3e 109014 3317f64 109013->109014 109016 332a590 2 API calls 109013->109016 109014->108691 109017 3317f55 109016->109017 109017->108691 109018 332bd10 LdrLoadDll 109018->109019 109019->109011 109019->109012 109019->109013 109019->109018 109023 332a590 109019->109023 109021 332a590 2 API calls 109020->109021 109022 331817e 109021->109022 109022->108648 109024 332af30 LdrLoadDll 109023->109024 109025 332a5ac 109024->109025 109028 3c82c70 LdrInitializeThunk 109025->109028 109026 332a5c3 109026->109019 109028->109026 109030 332b593 109029->109030 109031 331acf0 LdrLoadDll 109030->109031 109032 3319c4a 109031->109032 109032->108654 109034 331b063 109033->109034 109036 331b0e0 109034->109036 109048 3329c60 LdrLoadDll 109034->109048 109036->108661 109038 332af30 LdrLoadDll 109037->109038 109039 332a7bf LookupPrivilegeValueW 109038->109039 109039->108666 109041 332af30 LdrLoadDll 109040->109041 109042 332a24c 109041->109042 109049 3c82ea0 LdrInitializeThunk 109042->109049 109043 332a26b 109043->108667 109046 332af30 LdrLoadDll 109045->109046 109047 332a1cc 109046->109047 109047->108663 109048->109036 109049->109043 109051 331b1f0 109050->109051 109052 331b040 LdrLoadDll 109051->109052 109053 331b204 109052->109053 109053->108601 109055 331af34 109054->109055 109127 3329c60 LdrLoadDll 109055->109127 109057 331af6e 109057->108603 109059 331f3ac 109058->109059 109060 331b1c0 LdrLoadDll 109059->109060 109061 331f3be 109060->109061 109128 331f290 109061->109128 109064 331f3f1 109066 331f402 109064->109066 109069 332a460 2 API calls 109064->109069 109065 331f3d9 109067 331f3e4 109065->109067 109068 332a460 2 API calls 109065->109068 109066->108607 109067->108607 109068->109067 109069->109066 109071 331f43c 109070->109071 109147 331b2b0 109071->109147 109073 331f44e 109074 331f290 3 API calls 109073->109074 109075 331f45f 109074->109075 109076 331f481 109075->109076 109077 331f469 109075->109077 109079 332a460 2 API calls 109076->109079 109081 331f492 109076->109081 109078 332a460 2 API calls 109077->109078 109080 331f474 109077->109080 109078->109080 109079->109081 109080->108609 109081->108609 109083 331caa6 109082->109083 109084 331cab0 109082->109084 109083->108618 109085 331af10 LdrLoadDll 109084->109085 109086 331cb4e 109085->109086 109087 331cb74 109086->109087 109088 331b040 LdrLoadDll 109086->109088 109087->108618 109089 331cb90 109088->109089 109090 3324a50 8 API calls 109089->109090 109091 331cbe5 109090->109091 109091->108618 109093 331d646 109092->109093 109094 331b040 LdrLoadDll 109093->109094 109095 331d65a 109094->109095 109151 331d310 109095->109151 109097 331908b 109098 331cc00 109097->109098 109099 331cc26 109098->109099 109100 331b040 LdrLoadDll 109099->109100 109101 331cca9 109099->109101 109100->109101 109102 331b040 LdrLoadDll 109101->109102 109103 331cd16 109102->109103 109104 331af10 LdrLoadDll 109103->109104 109105 331cd7f 109104->109105 109106 331b040 LdrLoadDll 109105->109106 109107 331ce2f 109106->109107 109107->108631 109180 331f6d0 109108->109180 109110 3318f25 109110->108586 109111 3318d14 109111->109110 109185 33243a0 109111->109185 109113 3318d70 109113->109110 109188 3318ab0 109113->109188 109116 332cf00 2 API calls 109117 3318db2 109116->109117 109118 332d030 3 API calls 109117->109118 109122 3318dc7 109118->109122 109119 3317ea0 3 API calls 109119->109122 109122->109110 109122->109119 109123 331c7b0 16 API calls 109122->109123 109124 3318160 2 API calls 109122->109124 109193 331f670 109122->109193 109197 331f080 19 API calls 109122->109197 109123->109122 109124->109122 109125->108610 109126->108628 109127->109057 109129 331f2aa 109128->109129 109137 331f360 109128->109137 109130 331b040 LdrLoadDll 109129->109130 109131 331f2cc 109130->109131 109138 3329f10 109131->109138 109133 331f30e 109141 3329f50 109133->109141 109136 332a460 2 API calls 109136->109137 109137->109064 109137->109065 109139 332af30 LdrLoadDll 109138->109139 109140 3329f2c 109139->109140 109140->109133 109142 332af30 LdrLoadDll 109141->109142 109143 3329f6c 109142->109143 109146 3c835c0 LdrInitializeThunk 109143->109146 109144 331f354 109144->109136 109146->109144 109148 331b2d7 109147->109148 109149 331b040 LdrLoadDll 109148->109149 109150 331b313 109149->109150 109150->109073 109152 331d327 109151->109152 109160 331f710 109152->109160 109156 331d39b 109157 331d3a2 109156->109157 109171 332a270 LdrLoadDll 109156->109171 109157->109097 109159 331d3b5 109159->109097 109161 331f735 109160->109161 109172 33181a0 109161->109172 109163 331d36f 109168 332a6b0 109163->109168 109164 3324a50 8 API calls 109166 331f759 109164->109166 109166->109163 109166->109164 109167 332bd90 2 API calls 109166->109167 109179 331f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 109166->109179 109167->109166 109169 332af30 LdrLoadDll 109168->109169 109170 332a6cf CreateProcessInternalW 109169->109170 109170->109156 109171->109159 109173 331829f 109172->109173 109174 33181b5 109172->109174 109173->109166 109174->109173 109175 3324a50 8 API calls 109174->109175 109176 3318222 109175->109176 109177 332bd90 2 API calls 109176->109177 109178 3318249 109176->109178 109177->109178 109178->109166 109179->109166 109181 3324e50 LdrLoadDll 109180->109181 109182 331f6ef 109181->109182 109183 331f6f6 SetErrorMode 109182->109183 109184 331f6fd 109182->109184 109183->109184 109184->109111 109198 331f4a0 109185->109198 109187 33243c6 109187->109113 109189 332bd10 LdrLoadDll 109188->109189 109192 3318ad5 109189->109192 109190 3318cea 109190->109116 109192->109190 109218 3329850 109192->109218 109194 331f683 109193->109194 109266 3329e60 109194->109266 109197->109122 109199 331f4bd 109198->109199 109205 3329f90 109199->109205 109202 331f505 109202->109187 109206 3329fa6 109205->109206 109207 332af30 LdrLoadDll 109206->109207 109208 3329fac 109207->109208 109216 3c82f30 LdrInitializeThunk 109208->109216 109209 331f4fe 109209->109202 109211 3329fe0 109209->109211 109212 332af30 LdrLoadDll 109211->109212 109213 3329ffc 109212->109213 109217 3c82d10 LdrInitializeThunk 109213->109217 109214 331f52e 109214->109187 109216->109209 109217->109214 109219 332bf60 2 API calls 109218->109219 109220 3329867 109219->109220 109239 3319310 109220->109239 109222 3329882 109223 33298c0 109222->109223 109224 33298a9 109222->109224 109227 332bd10 LdrLoadDll 109223->109227 109225 332bd90 2 API calls 109224->109225 109226 33298b6 109225->109226 109226->109190 109228 33298fa 109227->109228 109229 332bd10 LdrLoadDll 109228->109229 109230 3329913 109229->109230 109236 3329bb4 109230->109236 109245 332bd50 LdrLoadDll 109230->109245 109232 3329b99 109233 3329ba0 109232->109233 109232->109236 109234 332bd90 2 API calls 109233->109234 109235 3329baa 109234->109235 109235->109190 109237 332bd90 2 API calls 109236->109237 109238 3329c09 109237->109238 109238->109190 109240 3319335 109239->109240 109241 331acf0 LdrLoadDll 109240->109241 109242 3319368 109241->109242 109244 331938d 109242->109244 109246 331cf20 109242->109246 109244->109222 109245->109232 109247 331cf4c 109246->109247 109248 332a1b0 LdrLoadDll 109247->109248 109249 331cf65 109248->109249 109250 331cf6c 109249->109250 109257 332a1f0 109249->109257 109250->109244 109254 331cfa7 109255 332a460 2 API calls 109254->109255 109256 331cfca 109255->109256 109256->109244 109258 332af30 LdrLoadDll 109257->109258 109259 332a20c 109258->109259 109265 3c82ca0 LdrInitializeThunk 109259->109265 109260 331cf8f 109260->109250 109262 332a7e0 109260->109262 109263 332af30 LdrLoadDll 109262->109263 109264 332a7ff 109263->109264 109264->109254 109265->109260 109267 332af30 LdrLoadDll 109266->109267 109268 3329e7c 109267->109268 109271 3c82dd0 LdrInitializeThunk 109268->109271 109269 331f6ae 109269->109122 109271->109269

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 03AFA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 03AFA19F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565524663.0000000003AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3af0000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                      • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                      • Instruction ID: d64bfcbeb12484a2028ebadebb1cbd786b29da232ae9c89843c9d82b31bbc4b2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 85F11F74518A8C8FDBA9EF68C894AEEB7E0FF98305F40462AE54EDB250DF349541CB41
                                                                                                                                                                                                                      Function 03AF9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 207 3af9baf-3af9bfe call 3af9102 210 3af9c0c-3af9c9a call 3afb942 * 2 NtCreateSection 207->210 211 3af9c00 207->211 217 3af9d5a-3af9d68 210->217 218 3af9ca0-3af9d0a call 3afb942 NtMapViewOfSection 210->218 212 3af9c02-3af9c0a 211->212 212->210 212->212 221 3af9d0c-3af9d4c 218->221 222 3af9d52 218->222 224 3af9d4e-3af9d4f 221->224 225 3af9d69-3af9d6b 221->225 222->217 224->222 226 3af9d6d-3af9d72 225->226 227 3af9d88-3af9ddc call 3afcd62 NtClose 225->227 228 3af9d74-3af9d86 call 3af9172 226->228 228->227
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565524663.0000000003AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3af0000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Section$CloseCreateView
                                                                                                                                                                                                                      • String ID: @$@
                                                                                                                                                                                                                      • API String ID: 1133238012-149943524
                                                                                                                                                                                                                      • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                      • Instruction ID: bf0f41cae188efc9e4c2c550c823d9903e906daa7976f26395cac99a4dc66eac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66617270518B488FCB58EF68D8856AABBE0FF98314F50062EF68AC3651DF35D441CB86
                                                                                                                                                                                                                      Function 03AF9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 266 3af9bb2-3af9bef 267 3af9bf7-3af9bfe 266->267 268 3af9bf2 call 3af9102 266->268 269 3af9c0c-3af9c9a call 3afb942 * 2 NtCreateSection 267->269 270 3af9c00 267->270 268->267 276 3af9d5a-3af9d68 269->276 277 3af9ca0-3af9d0a call 3afb942 NtMapViewOfSection 269->277 271 3af9c02-3af9c0a 270->271 271->269 271->271 280 3af9d0c-3af9d4c 277->280 281 3af9d52 277->281 283 3af9d4e-3af9d4f 280->283 284 3af9d69-3af9d6b 280->284 281->276 283->281 285 3af9d6d-3af9d72 284->285 286 3af9d88-3af9ddc call 3afcd62 NtClose 284->286 287 3af9d74-3af9d86 call 3af9172 285->287 287->286
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565524663.0000000003AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3af0000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Section$CreateView
                                                                                                                                                                                                                      • String ID: @$@
                                                                                                                                                                                                                      • API String ID: 1585966358-149943524
                                                                                                                                                                                                                      • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                      • Instruction ID: 3f3d938526b3e569a9c530a8a14bf6003a73e8a107641d9d57f3c0bff8cb729d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8E517E70618B088FD758EF58D8956AABBE0FF88314F50062EF98AC3651DF35D441CB86
                                                                                                                                                                                                                      Function 03AFA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 03AFA19F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565524663.0000000003AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3af0000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                      • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                      • Instruction ID: 40bb50d1f3d843091941adab5ce38c701ab4872bd92356cf17ceb0a63c6c82d8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C511C70914A8C8FDB69EF68C8946EEB7F4FB98305F40462EE54AD7250DF309645CB41
                                                                                                                                                                                                                      Function 0332A2EA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 542 332a2ea-332a2ee 543 332a2f0-332a329 call 332af30 542->543 544 332a338-332a346 542->544 546 332a34c-332a381 NtCreateFile 544->546 547 332a347 call 332af30 544->547 547->546
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,03324BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03324BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0332A37D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                                                                                                                      • Opcode ID: 60ba23054b50635cf57a664ecaabc91fb639b4254705df40474ddd73745a59cc
                                                                                                                                                                                                                      • Instruction ID: f250f1c6ca8e5dbed5feab43edbda01c4e36f57a39e60bb00d7061fffc59f63e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60ba23054b50635cf57a664ecaabc91fb639b4254705df40474ddd73745a59cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD110AB6615249ABCB04DF98DC84DEB7BADAF8C214F058249FA4D97241C630E811CBA0
                                                                                                                                                                                                                      Function 0332A32A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 550 332a32a-332a346 551 332a34c-332a381 NtCreateFile 550->551 552 332a347 call 332af30 550->552 552->551
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,03324BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03324BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0332A37D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                                                                                                                      • Opcode ID: f0b03f65585031601ef09eec40b99b8fc33a98648d44dc91f8ac0b2b44fe10bd
                                                                                                                                                                                                                      • Instruction ID: 47364d44782b912c30540634eb7945a3632567ad526d4309662be7b51b597e03
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0b03f65585031601ef09eec40b99b8fc33a98648d44dc91f8ac0b2b44fe10bd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F01B2B6251208BFCB08CF88DC94EEB77ADAF8C754F558248FA1D97245D630E851CBA4
                                                                                                                                                                                                                      Function 0332A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 553 332a330-332a381 call 332af30 NtCreateFile
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,03324BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03324BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0332A37D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                                                                                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                      • Instruction ID: 2e8cded5d485ded2cecf4a6329048a6f4726498653fd2d5481d32b436fde25bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35F0B2B2211208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                                                                                                                                                                                                      Function 0332A3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(03324D72,5EB65239,FFFFFFFF,03324A31,?,?,03324D72,?,03324A31,FFFFFFFF,5EB65239,03324D72,?,00000000), ref: 0332A425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                      • Instruction ID: 014a6f716d9fd7d60af04f751424948fdfcd935bc07663ff595a4d2f92630cbc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3F0B7B6210208AFCB14DF89DC80EEB77ADEF8C754F158249BE1D97241DA30E811CBA0
                                                                                                                                                                                                                      Function 0332A3DA Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(03324D72,5EB65239,FFFFFFFF,03324A31,?,?,03324D72,?,03324A31,FFFFFFFF,5EB65239,03324D72,?,00000000), ref: 0332A425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: e36ec178e8ffe1fe657c74cf8b232a2ea8ae32859f4c1d9b2af2f1176d4cfa76
                                                                                                                                                                                                                      • Instruction ID: edaf6644a810b45e6ecd56ace0b6dff48bcf99c56c68ed0bcecb45f471c0b7cc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e36ec178e8ffe1fe657c74cf8b232a2ea8ae32859f4c1d9b2af2f1176d4cfa76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A9F01DB6210148ABCB05DF98DC90CEB7BADAF8C314B15879DFD0C97215C634E8558BA0
                                                                                                                                                                                                                      Function 0332A45E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(03324D50,?,?,03324D50,00000000,FFFFFFFF), ref: 0332A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: bd82444856bed58548c441bf307f6eaadb065f8503de15c78d6c445b76fc939d
                                                                                                                                                                                                                      • Instruction ID: a3e0b8fb4d0fc79495e41c08c4cd2ed3b1f4ccaea3bf1add61b7fb4089e0d103
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd82444856bed58548c441bf307f6eaadb065f8503de15c78d6c445b76fc939d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1E0C276600214BFD720EFA4CC84EDB7B68EF44350F104559F90EAB242C530E5108B90
                                                                                                                                                                                                                      Function 0332A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(03324D50,?,?,03324D50,00000000,FFFFFFFF), ref: 0332A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                      • Instruction ID: 093a33451f87a800c802e8930651bdb28450b4b5afc81f08c78114d22411b8d8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3D01776610314BBD710EB98CC85EA77BACEF48660F154599BA189B242C930FA0086E0
                                                                                                                                                                                                                      Function 03C82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 538b01fec691795a771b131707c41d6d2ca55e7a65faef34b9e4cdc7f8997b7f
                                                                                                                                                                                                                      • Instruction ID: cbf562e7ce1f695eb2f0f609d37fd2ce93ae43322ebb9fd9847798237173138e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 538b01fec691795a771b131707c41d6d2ca55e7a65faef34b9e4cdc7f8997b7f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 479002A1202504035506B1584418616400A87E1601B56C022E101C690DCA2589916129
                                                                                                                                                                                                                      Function 03C82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 52678b9a3ec32581fb33218015e1745bb6e3cee88c4879876716efe52b31b0e1
                                                                                                                                                                                                                      • Instruction ID: bcb0ff5ea8dfbc671e41bbcdbe0aeefe976d411bb918762eb210e2ca7339f9cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 52678b9a3ec32581fb33218015e1745bb6e3cee88c4879876716efe52b31b0e1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53900265211504031506F5580708507004687D6751356C022F101D650CDB2189615125
                                                                                                                                                                                                                      Function 03C82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 60b5558ab353984bc90c47246f2c6f665780417eea0b7de15ca0e9f3cbd1fbf2
                                                                                                                                                                                                                      • Instruction ID: d4f41e3a799a2e519a85f4b3d6d62951bbcd39f6f0a0cc10b2d88c3e17fe91af
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60b5558ab353984bc90c47246f2c6f665780417eea0b7de15ca0e9f3cbd1fbf2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C900261211D0442E601B5684C18B07000587D1703F56C116A015C654CCE1589615525
                                                                                                                                                                                                                      Function 03C82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: f0fb48958dd34287d632766db39c0886c8a84b43bf2f657b41fbe0e3e3e424f9
                                                                                                                                                                                                                      • Instruction ID: bd37a752f5befa99148fedeeb95ed54eb8de48b27bb4faba45c3d98859991d6b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0fb48958dd34287d632766db39c0886c8a84b43bf2f657b41fbe0e3e3e424f9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D9002A134150842E501B1584418B060005C7E2701F56C016E106C654D8B19CD52612A
                                                                                                                                                                                                                      Function 03C82EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b9adceb76df2529d0495e3f96df8444aa93c7cdf14793ece5ba72fa7def28f38
                                                                                                                                                                                                                      • Instruction ID: b53153f7df2f997ec02f867549f47ac0498c261c5f542f73ba676b67656bdc68
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b9adceb76df2529d0495e3f96df8444aa93c7cdf14793ece5ba72fa7def28f38
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA9002B120150802E541B1584408746000587D1701F56C012A506C654E8B598ED56669
                                                                                                                                                                                                                      Function 03C82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: e26bd51b8583c08b61984009c5fff8b46edfb715a5b5ccf1eb118fc8bae19e20
                                                                                                                                                                                                                      • Instruction ID: f28f1bfce55e1974af027084e34626cceaac87b12dc98d2000570517ad16ee9e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e26bd51b8583c08b61984009c5fff8b46edfb715a5b5ccf1eb118fc8bae19e20
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC900261242545526946F1584408507400697E1641796C013A141CA50C8A269956D625
                                                                                                                                                                                                                      Function 03C82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 0fdc9362451dc928bdbddca0e678fbb2f5b5e6bdcb5985611a83faa7cf58f98f
                                                                                                                                                                                                                      • Instruction ID: 5e1ec697e2634e93690016f413a79d998f3231047b4ccb205b1c0bb2f0320828
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0fdc9362451dc928bdbddca0e678fbb2f5b5e6bdcb5985611a83faa7cf58f98f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C790027120150813E512B1584508707000987D1641F96C413A042C658D9B568A52A125
                                                                                                                                                                                                                      Function 03C82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: ff29339330a0c119a155f78a6ad2574549a7540ed87045ec82afd29c6fb1ad1f
                                                                                                                                                                                                                      • Instruction ID: fad06caf22a6a82877ec0333be20c69d724a232cc51bca2d30e61f14a49bf013
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff29339330a0c119a155f78a6ad2574549a7540ed87045ec82afd29c6fb1ad1f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A790026921350402E581B158540C60A000587D2602F96D416A001D658CCE1589695325
                                                                                                                                                                                                                      Function 03C82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 771ec7c2043d08483aff81f4229b3c3dcdb6c5fdc71be24e95a3fd9647f9169a
                                                                                                                                                                                                                      • Instruction ID: 40800911e2204182adca0d374ca21dee3da134ec69ecab58ffe9f0a73b223f7b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 771ec7c2043d08483aff81f4229b3c3dcdb6c5fdc71be24e95a3fd9647f9169a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F90027120150802E501B598540C646000587E1701F56D012A502C655ECB6589916135
                                                                                                                                                                                                                      Function 03C82C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 70818572fd5ec6657d877d2fce317d9e6281d701e9d36c5b20a3f51c47591d8b
                                                                                                                                                                                                                      • Instruction ID: 025fb4c6803bd1e916eaa96d1d0b68ed4a284704c8915d9c2959999411ac0f22
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 70818572fd5ec6657d877d2fce317d9e6281d701e9d36c5b20a3f51c47591d8b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE90027120150C42E501B1584408B46000587E1701F56C017A012C754D8B15C9517525
                                                                                                                                                                                                                      Function 03C82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: ae1ec420588f92d07b079ab78025ee3810d5ca473b22ef09cd45170ac5abcd0c
                                                                                                                                                                                                                      • Instruction ID: d3c19efc36f2e9c0230f54c092aef49fe33880a657d332817a343359baf832e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae1ec420588f92d07b079ab78025ee3810d5ca473b22ef09cd45170ac5abcd0c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB90027120158C02E511B158840874A000587D1701F5AC412A442C758D8B9589917125
                                                                                                                                                                                                                      Function 03C835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 5fb069161b211e90325e7efd45c7250ac5ecba376147701c0a45c3ee45cafec5
                                                                                                                                                                                                                      • Instruction ID: 452a0b8aa8ad263096d15b8b453ae528df56bf3b69281b3884a851053fa7dd96
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5fb069161b211e90325e7efd45c7250ac5ecba376147701c0a45c3ee45cafec5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1190027160560802E501B1584518706100587D1601F66C412A042C668D8B958A5165A6
                                                                                                                                                                                                                      Function 03329050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 399 3329050-3329092 call 332bd10 402 3329098-33290e8 call 332bde0 call 331acf0 call 3324e50 399->402 403 332916c-3329172 399->403 410 33290f0-3329101 Sleep 402->410 411 3329103-3329109 410->411 412 3329166-332916a 410->412 413 3329133-3329154 call 3328e80 411->413 414 332910b-3329131 call 3328c70 411->414 412->403 412->410 418 3329159-332915c 413->418 414->418 418->412
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 033290F8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                      • Opcode ID: 00abbd859a037500943f80a5b6545ea23ce8f4be967ff05766dd9fdc495b2c96
                                                                                                                                                                                                                      • Instruction ID: 140f284e55dacb34a7e9a5f12df794173f14690dbf6abc71d32246a43f99c1c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 00abbd859a037500943f80a5b6545ea23ce8f4be967ff05766dd9fdc495b2c96
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 983194B6900754ABC714DF65CCC5F67BBB8BB48B00F04851DFA2A5B245DB30B660CBA4
                                                                                                                                                                                                                      Function 03329049 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 419 3329049-332907f 420 332908b-3329092 419->420 421 3329086 call 332bd10 419->421 422 3329098-33290e8 call 332bde0 call 331acf0 call 3324e50 420->422 423 332916c-3329172 420->423 421->420 430 33290f0-3329101 Sleep 422->430 431 3329103-3329109 430->431 432 3329166-332916a 430->432 433 3329133-3329154 call 3328e80 431->433 434 332910b-3329131 call 3328c70 431->434 432->423 432->430 438 3329159-332915c 433->438 434->438 438->432
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 033290F8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                      • Opcode ID: e191ee9f5ab735ee5d62eaf5e3a72660e67236fea0027b293c4f057941f71e4a
                                                                                                                                                                                                                      • Instruction ID: d2beb76e29e416d3e6cf87d42fc01624a228ea21906a191cc4dc4ee9b70efd19
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e191ee9f5ab735ee5d62eaf5e3a72660e67236fea0027b293c4f057941f71e4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 712193B6900354ABCB14DF65C8C5FABFBB8FB48700F14811DEA196B245D774B560CB94
                                                                                                                                                                                                                      Function 0332A632 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 556 332a632-332a657 call 332af30 558 332a65c-332a671 RtlFreeHeap 556->558
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03313AF8), ref: 0332A66D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                      • Opcode ID: 5bca1434af71235a765000b781c50ed5c4bf131192a700c4342c6be7842671a9
                                                                                                                                                                                                                      • Instruction ID: 2807c97515280b0873fd761c0c44bd12ee9217e40c7248130af9cd084f8a74fe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5bca1434af71235a765000b781c50ed5c4bf131192a700c4342c6be7842671a9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CEF039B5220304ABD718EF58DC89EE777A9FF48750F118669FA485B242D631E8118BA0
                                                                                                                                                                                                                      Function 0332A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 559 332a640-332a656 560 332a65c-332a671 RtlFreeHeap 559->560 561 332a657 call 332af30 559->561 561->560
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03313AF8), ref: 0332A66D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                      • Instruction ID: 990a1c5603b720f6b330f3602cfc34df218504f38fe38b54b56170c06b71bad5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62E01AB56102146BD714DF59CC44EA777ACAF88650F014555B9085B241C630E9108AB0
                                                                                                                                                                                                                      Function 03318310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0331836A
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0331838B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 7e4e56330453795c291b08fc23cbebb4c7108165151036bb208ae8e60e338b98
                                                                                                                                                                                                                      • Instruction ID: 7e536e26f367ae862a05bf9c6509ee6bc5693179e4a404f9604747bad1cd7219
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e4e56330453795c291b08fc23cbebb4c7108165151036bb208ae8e60e338b98
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E301F235E8032877E724E6949C82FBE7B2C5B00F51F080118FF08BE1C0EAA4690646F6
                                                                                                                                                                                                                      Function 0331ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0331AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction ID: 17cf60c6914506f4eff163fbbc1a3d2abbd35869e000ba6eed558ccd8499fe48
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC0171B9D0020DBBDF10EBE0DC81FDDB7789B44209F1445A5E9089B240F631EB18CB91
                                                                                                                                                                                                                      Function 0332A791 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0331F1D2,0331F1D2,?,00000000,?,?), ref: 0332A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: 3cbd036db815f1a6f831822f4f400f7b7e145f9e35e5d4bf65d90379d78bfa16
                                                                                                                                                                                                                      • Instruction ID: 723bda417245384acf25e727aedf329b63728e8dd31edcdc512bad58d80eaf61
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cbd036db815f1a6f831822f4f400f7b7e145f9e35e5d4bf65d90379d78bfa16
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7101ADB56102186BDB10EF58DC80DEB77A9EF88214F058559F90957202CA30E9158AB1
                                                                                                                                                                                                                      Function 0332A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0332A704
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateInternalProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2186235152-0
                                                                                                                                                                                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                      • Instruction ID: 4dd9378b37936c5bb8728d7ac6fe715dcb1e18b73575e96c6bc8b938bc6923a0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE01B2B2210208BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                                                                                                                                                                                      Function 03329180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0331F050,?,?,00000000), ref: 033291BC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
                                                                                                                                                                                                                      • Instruction ID: b283803148a08b8c8a1cd3513a8bf6601478f47079e3b4c74ae0a87c9d1391d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69E0923B7803143AE330A599AC42FA7B79CCB81F20F140026FA0DEB2C1D595F40146A9
                                                                                                                                                                                                                      Function 03329176 Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0331F050,?,?,00000000), ref: 033291BC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: 7d55885de893406a9c509f9c0cc846aa32c5beb93765153f0fb1aa7fc83bd92f
                                                                                                                                                                                                                      • Instruction ID: 1eb52d694b788a704e39ecff3d2ef5e72649513bf5a3373acf031989d63cb1b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d55885de893406a9c509f9c0cc846aa32c5beb93765153f0fb1aa7fc83bd92f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F2F09B7F7813103AE33066599C43F977B688F91F10F150519F65DAF2C1D9A4B44186A9
                                                                                                                                                                                                                      Function 0332A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0331F1D2,0331F1D2,?,00000000,?,?), ref: 0332A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                      • Instruction ID: a643f95258e43b5474ef33df465868ef283233ecd3c61597758867a668004e1b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1E01AB56102186BDB10DF49CC84EE737ADAF88650F018155BA085B241C934E8118BF5
                                                                                                                                                                                                                      Function 0332A600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(03324536,?,03324CAF,03324CAF,?,03324536,?,?,?,?,?,00000000,00000000,?), ref: 0332A62D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                      • Instruction ID: 6868321941c5f671756e420dba1d6d40428080a3b7697dd2d478aa86e6a0918f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53E012B5610218ABDB14EF99CC80EA777ACAF88654F118559BA085B241CA30F9118AB0
                                                                                                                                                                                                                      Function 0331F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00008003,?,03318D14,?), ref: 0331F6FB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorMode
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2340568224-0
                                                                                                                                                                                                                      • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                      • Instruction ID: b8351bf5e361ebb6cbd23127067064808281ae114bc191a6c48b65ba82c043e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0BD05E756503082AE610EAA59C52F2672885B54A00F490064F9489A2C3D950E0004565
                                                                                                                                                                                                                      Function 0331ACE3 Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0331AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564832433.0000000003310000.00000040.80000000.00040000.00000000.sdmp, Offset: 03310000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3310000_netsh.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction ID: a203e3f0fe6ee4959f7493e23fb31c7673e926cf614acb1d1ad886db578c9339
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32B09231A955182AEA78C6C89C46B2AB764D785612F184285BD2CA6280E4A2292042E5
                                                                                                                                                                                                                      Function 03C82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 3d5cd0a26b229822f8e9de9d72078ee9e43b51d41ded8d1b6137f38cfe5816cd
                                                                                                                                                                                                                      • Instruction ID: 29d5e93c2e4f52247951549208c22d2b462196df7148a20e65acc7a53ba6ffd2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d5cd0a26b229822f8e9de9d72078ee9e43b51d41ded8d1b6137f38cfe5816cd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CFB09B719015C5C5FE11F760460C717790467D1705F1AC462D203C745E4739C2D1E175

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 00A68D48 Relevance: 65.2, APIs: 28, Strings: 9, Instructions: 447memorycomCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006,?,?,?), ref: 00A68D7D
                                                                                                                                                                                                                      • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00A61C9C,00000000,00000001,00A61CAC,?), ref: 00A68DAA
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 00A68DED
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 00A68E37
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 00A68E4B
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00A68E54
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 00A68E77
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 00A68E92
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 00A68E99
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A68EA3
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A68EAD
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A68EB7
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(WQL), ref: 00A68F18
                                                                                                                                                                                                                      • SysAllocString.OLEAUT32(select * from Win32_OperatingSystem), ref: 00A68F29
                                                                                                                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000017), ref: 00A68FF1
                                                                                                                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00A69044
                                                                                                                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000017), ref: 00A690A8
                                                                                                                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00A690FB
                                                                                                                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00A6915B
                                                                                                                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00A691B6
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A69211
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A6921B
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A69239
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 00A69240
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A6924A
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A69254
                                                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00A6925E
                                                                                                                                                                                                                      • CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00A69264
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String$Free$Alloc$ChangeTypeVariant$CreateInitializeInstanceUninitialize
                                                                                                                                                                                                                      • String ID: BuildNumber$OSProductSuite$OSType$ServicePackMajorVersion$ServicePackMinorVersion$Version$WQL$\\%s\root\cimv2$select * from Win32_OperatingSystem
                                                                                                                                                                                                                      • API String ID: 3160123450-4179124359
                                                                                                                                                                                                                      • Opcode ID: 2d6c9a1527234084da5b14636b88c37f7e06d0024352905c1cf68ca6b620ad01
                                                                                                                                                                                                                      • Instruction ID: 812530117ca9951fac486dc0cb139a1c21090048818029fdb0913ed70bfab4dc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d6c9a1527234084da5b14636b88c37f7e06d0024352905c1cf68ca6b620ad01
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 73F19F76144701AFC720DFA4DC48BABBBB9FB88710F14491DFA5A972A0DB30E846CB51
                                                                                                                                                                                                                      Function 00A67DFA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,000000B6,00000000,?,00000000,?,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67E14
                                                                                                                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67E20
                                                                                                                                                                                                                      • wprintf.MSVCRT ref: 00A67E2C
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67E38
                                                                                                                                                                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,00A67F23,?,00A6471D), ref: 00A67E51
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Error %d in FormatMessageW(), xrefs: 00A67E27
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorFormatFreeHandleLastLocalMessagewprintf
                                                                                                                                                                                                                      • String ID: Error %d in FormatMessageW()
                                                                                                                                                                                                                      • API String ID: 10433382-1232673963
                                                                                                                                                                                                                      • Opcode ID: 15579e682022aa85e53d67461bcc23c593964f55f4aad81f8d2891e27dc1f699
                                                                                                                                                                                                                      • Instruction ID: 191056999c7703ec89d5c304927f55531a918f04dd4ca315c3940b64da93e689
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15579e682022aa85e53d67461bcc23c593964f55f4aad81f8d2891e27dc1f699
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12F06272525124FBDB2097E1AC0DD9F7B7DEB40761F144155F90992290DA314E41C6E0
                                                                                                                                                                                                                      Function 00A633AA Relevance: 9.1, APIs: 6, Instructions: 59memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000002,?,?,?,?,?,00A633A3,?,?,?,?,?,00A6348F), ref: 00A633C7
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A633A3,?,?,?,?,?,00A6348F,?,00000002,00000002,?,00A624DD), ref: 00A633CE
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,00A633A3,?,?,?,?,?,00A6348F,?,00000002,00000002,?,00A624DD), ref: 00A633E4
                                                                                                                                                                                                                      • qsort.MSVCRT ref: 00A633F5
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A63425
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6342C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocFreememcpyqsort
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3964738767-0
                                                                                                                                                                                                                      • Opcode ID: 539338ed3e34a90da3babf0e6f782658462fa2b85f415ecdad78b4609602682b
                                                                                                                                                                                                                      • Instruction ID: 3aa4868da0b66d434754795ef0d37372cabef8f6e352d8458660c407abb81f83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 539338ed3e34a90da3babf0e6f782658462fa2b85f415ecdad78b4609602682b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7411A372610600BBDB109BA5DD89A5BB7BCFB88316F105419F24696910DA70E9428B20
                                                                                                                                                                                                                      Function 00A69B55 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00A69B82
                                                                                                                                                                                                                      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00A69B91
                                                                                                                                                                                                                      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00A69B9A
                                                                                                                                                                                                                      • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00A69BA3
                                                                                                                                                                                                                      • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00A69BB8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1445889803-0
                                                                                                                                                                                                                      • Opcode ID: c0d6cc06d01ef9fb45a591b40b043676eb1541ca73eaca75afe11ab39f7440ca
                                                                                                                                                                                                                      • Instruction ID: be78bdd6570ad209fcbadd56b0bcbb3642077cce9f8a43284251ea0a2579fcfe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0d6cc06d01ef9fb45a591b40b043676eb1541ca73eaca75afe11ab39f7440ca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04111C71E15209DBCF10DFF8EA4869FB7F8EF58310F61446AD406EB214E7709A428B50
                                                                                                                                                                                                                      Function 00A696E0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00A69816,00A61000), ref: 00A696E7
                                                                                                                                                                                                                      • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00A69816,?,00A69816,00A61000), ref: 00A696F0
                                                                                                                                                                                                                      • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00A69816,00A61000), ref: 00A696FB
                                                                                                                                                                                                                      • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00A69816,00A61000), ref: 00A69702
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3231755760-0
                                                                                                                                                                                                                      • Opcode ID: 995eb23d9860df88a17e819ab7ed8e1b077aa516db8be8030895ffce5fff6abc
                                                                                                                                                                                                                      • Instruction ID: 822103b2034918da55bdda3a5d66f203fa8ade220b53492271e98b0a231104da
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 995eb23d9860df88a17e819ab7ed8e1b077aa516db8be8030895ffce5fff6abc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4D0E972054144ABDB006BE1FC0DA5A3F39FB44666F05C416F70E86461DB715593CB65
                                                                                                                                                                                                                      Function 00A692E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00A6930D
                                                                                                                                                                                                                      • GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(0000011C,?,?,?), ref: 00A69326
                                                                                                                                                                                                                        • Part of subcall function 00A64F00: _vsnwprintf.MSVCRT ref: 00A64F32
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Version_vsnwprintfmemset
                                                                                                                                                                                                                      • String ID: %d.%d.%d
                                                                                                                                                                                                                      • API String ID: 413895009-3144769927
                                                                                                                                                                                                                      • Opcode ID: 73ace10002228b6be49c836d4664c7de26b268404a594310a1523a83dea0787e
                                                                                                                                                                                                                      • Instruction ID: 8241dc377dcf11b9c12c18fc83503d7f07eed52287bff134590b64b0027d1a29
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73ace10002228b6be49c836d4664c7de26b268404a594310a1523a83dea0787e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6211B9B1A40218BBDB20DF619D0AFFF7EB8EB89B00F008455F908A5180DAB45E51DB71
                                                                                                                                                                                                                      Function 00A69930 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000098E0), ref: 00A69935
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                                                                                                      • Opcode ID: 218e5361dc34498ad4dbeea14053cdd753b2d644994997e2717c1e8b808775e8
                                                                                                                                                                                                                      • Instruction ID: ea7c6e304c946408dc6d50ce6dafcce53f194faf5fc74058e009a8ef7ff2c282
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 218e5361dc34498ad4dbeea14053cdd753b2d644994997e2717c1e8b808775e8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7900260265110968A005BB15C2980765A86A496427418CA1A105C5054DF704042A521
                                                                                                                                                                                                                      Function 00A66BF1 Relevance: 77.5, APIs: 36, Strings: 8, Instructions: 453memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00A66C2D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00A66C3D
                                                                                                                                                                                                                      • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00A66C74
                                                                                                                                                                                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00A66C7B
                                                                                                                                                                                                                      • wprintf.MSVCRT ref: 00A66C94
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$HandleHeapInformationModulewprintf
                                                                                                                                                                                                                      • String ID: %s$%s>$GetModuleHandle failed$MprmsgGetErrorString$api-ms-win-appmodel-runtime-l1-1-0.dll$mprmsg.dll$netsh$netsh.exe
                                                                                                                                                                                                                      • API String ID: 2957350143-4264442765
                                                                                                                                                                                                                      • Opcode ID: 58235f3cfd9aacb3fe724d5de0a66669ada21451e0e6125c9c905834ae5ccd2e
                                                                                                                                                                                                                      • Instruction ID: c3b5e6e24b020cd1ab14dce5591b07e3b679b17ab46f41fe38382c94475ba0cf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58235f3cfd9aacb3fe724d5de0a66669ada21451e0e6125c9c905834ae5ccd2e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 29F11A75A04216EBCF24DF64DD89AAE77B8FB04314F4081B6F40AA2191DF319E82CF64
                                                                                                                                                                                                                      Function 00A62810 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 238memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MatchToken.NETSH(?,help), ref: 00A62879
                                                                                                                                                                                                                        • Part of subcall function 00A67690: _wcsnicmp.MSVCRT ref: 00A676BC
                                                                                                                                                                                                                      • MatchToken.NETSH(?,00A612B0,?,help), ref: 00A62891
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00A612B0,?,help), ref: 00A628A6
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A628AD
                                                                                                                                                                                                                      • MatchTagsInCmdLine.NETSH(?,?,?,mode,00000002,00000000), ref: 00A628D8
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A628E6
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A628ED
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Match$ProcessToken$AllocFreeLineTags_wcsnicmp
                                                                                                                                                                                                                      • String ID: append$close$help$mode$name$open
                                                                                                                                                                                                                      • API String ID: 60316392-503993532
                                                                                                                                                                                                                      • Opcode ID: 3d003574504ef4874850c08fba3b7f1b810cef175de81a1acf0bee87b1a940c9
                                                                                                                                                                                                                      • Instruction ID: c806bcc939105852cec0a013677fa99238397b4a0bc123bbcb6042e6ada437fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d003574504ef4874850c08fba3b7f1b810cef175de81a1acf0bee87b1a940c9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E891BEB2A00619ABDF15CFE4DC88BEE7BB8FB48354F148129E515B7290C7709D41CB60
                                                                                                                                                                                                                      Function 00A62590 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 200memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MatchToken.NETSH(?,help), ref: 00A6261F
                                                                                                                                                                                                                      • MatchToken.NETSH(?,00A612B0,?,help), ref: 00A62638
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00A612B0,?,help), ref: 00A6264D
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62654
                                                                                                                                                                                                                      • MatchTagsInCmdLine.NETSH(00A61284,?,?,?,00000003,00000000), ref: 00A6267C
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A6268D
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00A6272F
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000A9,?), ref: 00A6274D
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000208), ref: 00A6275B
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62762
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 00A6278C
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62793
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62694
                                                                                                                                                                                                                        • Part of subcall function 00A66A15: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 00A66A4C
                                                                                                                                                                                                                        • Part of subcall function 00A66A15: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A66A53
                                                                                                                                                                                                                        • Part of subcall function 00A66A15: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 00A66A85
                                                                                                                                                                                                                        • Part of subcall function 00A66A15: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A66A8C
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00A627B6
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A627BD
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000), ref: 00A627C9
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A627D0
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00003AA0), ref: 00A627F1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Free$AllocMatch$FromMessageModulePrintToken$LineTags_wcsicmp
                                                                                                                                                                                                                      • String ID: help$name$pwd$user
                                                                                                                                                                                                                      • API String ID: 1986014345-3860914806
                                                                                                                                                                                                                      • Opcode ID: ee3b7c5db59c8fddc822a3ef911bb9be4fa84e4decb31e3bd9f7ccd4d1c1ab5b
                                                                                                                                                                                                                      • Instruction ID: 9e150d7a59fde2a0d6ad734aaec00bae18ae73fb88bc46cb6d5746563938bcf3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee3b7c5db59c8fddc822a3ef911bb9be4fa84e4decb31e3bd9f7ccd4d1c1ab5b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6561A9B1A187019FD710CF68DC88A6BBBF9EB88714F04482EF94997250DB30C8458B62
                                                                                                                                                                                                                      Function 00A68A48 Relevance: 38.6, APIs: 13, Strings: 9, Instructions: 127stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,00A61A54,?,?,?), ref: 00A68A94
                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000010,?,?), ref: 00A68AA4
                                                                                                                                                                                                                      • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,ras,?,?), ref: 00A68AD8
                                                                                                                                                                                                                      • MatchToken.NETSH(?,diagnostics,?,?), ref: 00A68B1C
                                                                                                                                                                                                                      • MatchToken.NETSH(?,set,?,diagnostics,?,?), ref: 00A68B31
                                                                                                                                                                                                                      • MatchToken.NETSH(?,show,?,set,?,diagnostics,?,?), ref: 00A68B42
                                                                                                                                                                                                                      • MatchToken.NETSH(?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B54
                                                                                                                                                                                                                      • MatchToken.NETSH(?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B66
                                                                                                                                                                                                                      • MatchToken.NETSH(?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B77
                                                                                                                                                                                                                      • MatchToken.NETSH(?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B88
                                                                                                                                                                                                                      • MatchToken.NETSH(?,dump,?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B99
                                                                                                                                                                                                                      • MatchToken.NETSH(?,set,?,dump,?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics), ref: 00A68BAA
                                                                                                                                                                                                                      • MatchToken.NETSH(?,show,?,set,?,dump,?,delete,?,add,?,user,?,tracing,?,set), ref: 00A68BBB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MatchToken$lstrcmpi$memcmp
                                                                                                                                                                                                                      • String ID: add$delete$diagnostics$dump$ras$set$show$tracing$user
                                                                                                                                                                                                                      • API String ID: 4174612407-597535005
                                                                                                                                                                                                                      • Opcode ID: 34a203f39330191215d1bd9d70fc49236d8332b95a72ce008409729647c6df73
                                                                                                                                                                                                                      • Instruction ID: 47c0d8e0bbb013dc617e3401ed958ba0302a23c977a9aee563fae29181e272a0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 34a203f39330191215d1bd9d70fc49236d8332b95a72ce008409729647c6df73
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F411174A10306AFCB10AF69CD46EBFBBB9FF50348F444929E502E2120EB79E811CB40
                                                                                                                                                                                                                      Function 00A66790 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 152memorywindowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PrintMessage.NETSH([%1!s!] ,?), ref: 00A667C7
                                                                                                                                                                                                                      • PrintMessage.NETSH(00A74AE0), ref: 00A667DD
                                                                                                                                                                                                                      • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(netsh,00A6B2F0), ref: 00A667F0
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000003EF,00A617F4,00A617E0), ref: 00A6682B
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      • PrintMessage.NETSH(%1!s!>,netsh), ref: 00A66847
                                                                                                                                                                                                                      • iswctype.MSVCRT ref: 00A6686D
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?), ref: 00A668AD
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A668B4
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,00000000,?,?), ref: 00A668EB
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A668F2
                                                                                                                                                                                                                      • ProcessCommand.NETSH(?,?), ref: 00A668FF
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A6691C
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A66923
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A66935
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6693C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$FreeMessagePrint$AddressCommandFromLoadModuleProcStringiswctypelstrcmpi
                                                                                                                                                                                                                      • String ID: %1!s!>$[%1!s!] $netsh
                                                                                                                                                                                                                      • API String ID: 1372608480-1238292096
                                                                                                                                                                                                                      • Opcode ID: d375b8db678c2fef88583f45dbb9b966327690dac9937d0dd1cd0e0a4000dab4
                                                                                                                                                                                                                      • Instruction ID: 7b0ced4b0e3e8636e2f81523abf3c97920c5a400aa2165e6ae2b434385f427f0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d375b8db678c2fef88583f45dbb9b966327690dac9937d0dd1cd0e0a4000dab4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2B51E072E20219EBDB11DFF5CD489AFB7B9FF44710B104416E819E3250EB709E828BA0
                                                                                                                                                                                                                      Function 00A62B20 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 164memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MatchToken.NETSH(?,help), ref: 00A62B5B
                                                                                                                                                                                                                        • Part of subcall function 00A67690: _wcsnicmp.MSVCRT ref: 00A676BC
                                                                                                                                                                                                                      • MatchToken.NETSH(?,00A612B0,?,help), ref: 00A62B70
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000004,?,00A612B0,?,help), ref: 00A62B80
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62B87
                                                                                                                                                                                                                      • MatchTagsInCmdLine.NETSH(?,?,00A612B8,mode,00000001,00000000), ref: 00A62BAD
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A62BBB
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62BC2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Match$ProcessToken$AllocFreeLineTags_wcsnicmp
                                                                                                                                                                                                                      • String ID: help$mode$offline$online
                                                                                                                                                                                                                      • API String ID: 60316392-1053974117
                                                                                                                                                                                                                      • Opcode ID: 6b1b7df4abdee27086fd0ba9d7458cedd46df81783da3f217b4b8be43c7a1a9c
                                                                                                                                                                                                                      • Instruction ID: 1f37793092f34f5ad74017cce3851661d60da1c2500c494deaac940cb8a1ef0f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b1b7df4abdee27086fd0ba9d7458cedd46df81783da3f217b4b8be43c7a1a9c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A751E172E00906EBDB11DFA4CC45BAE7B79EB44314F148025E909AB260DB719E52CB91
                                                                                                                                                                                                                      Function 00A63CED Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 160memoryregistrywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00A63D15
                                                                                                                                                                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,000F003F,00A63978), ref: 00A63D87
                                                                                                                                                                                                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00A63978,?), ref: 00A63DA2
                                                                                                                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00A63978), ref: 00A63DAD
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000003E9,?), ref: 00A63DC3
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A63DE3
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63DEA
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A63DFD
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63E04
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A63E1E
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63E25
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?), ref: 00A63E43
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,?,00000000,?,?), ref: 00A63E67
                                                                                                                                                                                                                      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 00A63EA8
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A63EB7
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63EBE
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SOFTWARE\Microsoft\NetSh, xrefs: 00A63D7D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$FreeProcess$memcpy$AllocCloseDeleteFromLibraryMessageModuleOpenPrintValue_wcsicmp
                                                                                                                                                                                                                      • String ID: SOFTWARE\Microsoft\NetSh
                                                                                                                                                                                                                      • API String ID: 915751017-276136757
                                                                                                                                                                                                                      • Opcode ID: 4ac897ad4e739d3b4817623ca91d29cf5884b6d1291728fb80e9a712bddf17ac
                                                                                                                                                                                                                      • Instruction ID: f010b954eb4eb24a9b647f4a7b79b863387f44cf5ed847e3769d9e5f08eabda5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ac897ad4e739d3b4817623ca91d29cf5884b6d1291728fb80e9a712bddf17ac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F45191B6A40210EFCF11DFE8DC88A5E7BB9FB48715B158455E909DB261CB309E83CB60
                                                                                                                                                                                                                      Function 00A63ED3 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 128memoryregistrywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,00020019,?), ref: 00A63EFB
                                                                                                                                                                                                                      • RegQueryInfoKeyW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00A63F20
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?), ref: 00A63F44
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63F4B
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000068), ref: 00A63F5F
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?), ref: 00A63F6F
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63F76
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A63F84
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63F8B
                                                                                                                                                                                                                      • RegEnumValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A63FBA
                                                                                                                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00A63FE7
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A63FF3
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63FFA
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A64006
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6400D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SOFTWARE\Microsoft\NetSh, xrefs: 00A63EEA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Free$Alloc$CloseEnumFromInfoMessageModuleOpenPrintQueryValue
                                                                                                                                                                                                                      • String ID: SOFTWARE\Microsoft\NetSh
                                                                                                                                                                                                                      • API String ID: 1499200800-276136757
                                                                                                                                                                                                                      • Opcode ID: ba6e322217dcfe8dead1584a9d3603790c37c601e9eba5140f06eb1b2a28c11a
                                                                                                                                                                                                                      • Instruction ID: 24bbc29f44d821411ed8da1527725a920ddab1e87bc06ae372ead2d1be4ffcea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba6e322217dcfe8dead1584a9d3603790c37c601e9eba5140f06eb1b2a28c11a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7414C72E10219BFDF219BE59C8DEAF7BBCEB44715F104026B50AE6150DA308E86CB60
                                                                                                                                                                                                                      Function 00A6587A Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 165memorywindowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MatchToken.NETSH(?,help,?,00000000,00000000,?,?,?,00A64AEF,?,00000002,?,?,?,00000000), ref: 00A658A5
                                                                                                                                                                                                                        • Part of subcall function 00A67690: _wcsnicmp.MSVCRT ref: 00A676BC
                                                                                                                                                                                                                      • MatchToken.NETSH(?,00A612B0,?,help,?,00000000,00000000,?,?,?,00A64AEF,?,00000002,?,?,?), ref: 00A658B6
                                                                                                                                                                                                                      • PrintError.NETSH(00000000,00000000,?,00A64AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 00A658FA
                                                                                                                                                                                                                      • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,netsh,?,00000000,00000000,?,?,?,00A64AEF,?,00000002,?,?,?,00000000), ref: 00A65913
                                                                                                                                                                                                                      • PrintError.NETSH(00000000,00003A99,?,00A64AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 00A65961
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000000,00000002,?,00A64AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 00A6597E
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A64AEF,?,00000002,?,?,?,00000000), ref: 00A659CE
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64AEF,?,00000002,?,?,?,00000000), ref: 00A659D5
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,?,00000000,?,00A6131C,00000000,?,00A64AEF,?,00000002,?,?,?,00000000), ref: 00A65A10
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A65A1C
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A65A23
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,?,?,?,00A64AEF,?,00000002,?,?,?,00000000), ref: 00A65A33
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      • PrintMessage.NETSH(00A61320,?,00A64AEF,?,00000002,?,?,?,00000000,?,?,00000000), ref: 00A65A55
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Print$HeapMessage$FromModule$ErrorMatchProcessToken$AddressAllocFreeLoadProcString_wcsnicmplstrcmpi
                                                                                                                                                                                                                      • String ID: help$netsh
                                                                                                                                                                                                                      • API String ID: 691894897-4263905064
                                                                                                                                                                                                                      • Opcode ID: 8e8250b91cf837ca63cd5a22202b31025c2906669fc3f16b292e4120e933baf6
                                                                                                                                                                                                                      • Instruction ID: cf94ccce26d9653475a895ed7eaba9491718a5a936d62d080d4060319a8f4a28
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e8250b91cf837ca63cd5a22202b31025c2906669fc3f16b292e4120e933baf6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3511572A10605EFDF14AFB8CC89AAEB7B9EB04364F148639F805D2290E7318D52DA40
                                                                                                                                                                                                                      Function 00A63A08 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 125memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00A63A59
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00A63A6F
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A63A95
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63A9C
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000), ref: 00A63ABB
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A63AD6
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63ADD
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 00A63B07
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63B0E
                                                                                                                                                                                                                      • _wcsupr.MSVCRT ref: 00A63B31
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63B46
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63B4D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Alloc$_wcsicmp$Free_wcsuprmemcpy
                                                                                                                                                                                                                      • String ID: ipxmontr.dll$ipxpromn.dll
                                                                                                                                                                                                                      • API String ID: 1906506965-3013806906
                                                                                                                                                                                                                      • Opcode ID: bc1a971d3937bce85522e480afacabe6883be63fe8beb809703f0a50c7286246
                                                                                                                                                                                                                      • Instruction ID: 7117e71f347a95188a89f7eeca364292ddc3505d3e49f5c348568d9c8ba6d5f8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc1a971d3937bce85522e480afacabe6883be63fe8beb809703f0a50c7286246
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8241EB77900201ABDF15DFF9DC499ABB7B9FB48311715842AE80AD7291DB31EA43CB50
                                                                                                                                                                                                                      Function 00A67450 Relevance: 24.2, APIs: 16, Instructions: 189memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcspbrk.MSVCRT ref: 00A67481
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?), ref: 00A67634
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6763B
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00003AA0,?), ref: 00A67650
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000068), ref: 00A67673
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FromHeapMessageModulePrint$FreeProcesswcspbrk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3977950575-0
                                                                                                                                                                                                                      • Opcode ID: 98444b7b417bd5626ca3281db25034c64f69f25578cc57d7e2f0fb8c9ed798b9
                                                                                                                                                                                                                      • Instruction ID: 45107ef057e4a98e702d98a1b0c717c97d5f254f9964e5f725bb6fe1596559c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 98444b7b417bd5626ca3281db25034c64f69f25578cc57d7e2f0fb8c9ed798b9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D471C175D14216DFCF10CFA8CC899AEBBB5FB48328F148565E81AA7261D7349D82CF90
                                                                                                                                                                                                                      Function 00A677C6 Relevance: 24.1, APIs: 16, Instructions: 110memoryfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00A69CA9: __iob_func.MSVCRT ref: 00A69CAE
                                                                                                                                                                                                                      • fflush.MSVCRT ref: 00A677ED
                                                                                                                                                                                                                      • fgets.MSVCRT ref: 00A67800
                                                                                                                                                                                                                      • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,000000FF,00000000,00000000,00000000,?,?,?,?,?), ref: 00A67820
                                                                                                                                                                                                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,?,?), ref: 00A67827
                                                                                                                                                                                                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000002,?,00000000,?,?,?,?,?), ref: 00A6786B
                                                                                                                                                                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?), ref: 00A6787B
                                                                                                                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?), ref: 00A67887
                                                                                                                                                                                                                      • PrintError.NETSH(00000000,00000000,?,?,?,?,?), ref: 00A6788F
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67C05
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67C2C
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67C3A
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67C53
                                                                                                                                                                                                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000002,?,00000000,?,?,?,?,?), ref: 00A678AD
                                                                                                                                                                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?), ref: 00A678BD
                                                                                                                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?), ref: 00A678C9
                                                                                                                                                                                                                      • PrintError.NETSH(00000000,00000000,?,?,?,?,?), ref: 00A678D1
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?), ref: 00A678DD
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?), ref: 00A678E4
                                                                                                                                                                                                                      • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,00002000,00000000,00000000,?,?,?,?,?), ref: 00A67900
                                                                                                                                                                                                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,?,?), ref: 00A67907
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Error$Handle$ByteCharCloseConsoleFileHeapLastMultiOutputPrintWideWrite$AllocFormatFreeLoadLocalMessageProcessString__iob_funcfflushfgets
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3788396652-0
                                                                                                                                                                                                                      • Opcode ID: 8d3ee00c6dcc678f7997b6fe301f87a73b0ef4ec0b896b477df8e8d36c319dd8
                                                                                                                                                                                                                      • Instruction ID: 21e9a4615c769f2cab5688df70706a758d87120d9e261ce85073265d9383d835
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8d3ee00c6dcc678f7997b6fe301f87a73b0ef4ec0b896b477df8e8d36c319dd8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D31AAB6610314AFEB14DBA4ED4CEAB77BCEB85711F00815AF60DD2151EB309D82CB21
                                                                                                                                                                                                                      Function 00A66A15 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 158memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 00A66A4C
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A66A53
                                                                                                                                                                                                                        • Part of subcall function 00A653D8: _wcslwr.MSVCRT ref: 00A653EE
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 00A66A85
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A66A8C
                                                                                                                                                                                                                      • GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000001,?,?), ref: 00A66AFE
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000B4,?,?,00000000,?), ref: 00A66B14
                                                                                                                                                                                                                      • PrintError.NETSH(00000000,00000000,?,00000000,?), ref: 00A66B20
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000208,?,?,00000000,?), ref: 00A66B9C
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?), ref: 00A66BA3
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000000,0000000E,?,?,00000000,?), ref: 00A66BB5
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006,?,?,?), ref: 00A68D7D
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00A61C9C,00000000,00000001,00A61CAC,?), ref: 00A68DAA
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: SysAllocString.OLEAUT32(?), ref: 00A68DED
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: SysAllocString.OLEAUT32(?), ref: 00A68E37
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: SysAllocString.OLEAUT32(?), ref: 00A68E4B
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: SysAllocString.OLEAUT32(00000000), ref: 00A68E54
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: SysFreeString.OLEAUT32(00000000), ref: 00A68E92
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: SysFreeString.OLEAUT32(00000000), ref: 00A68E99
                                                                                                                                                                                                                        • Part of subcall function 00A68D48: SysFreeString.OLEAUT32(?), ref: 00A68EA3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String$AllocHeap$Free$PrintProcess$FromMessageModule$ComputerCreateErrorInitializeInstanceName_wcslwr
                                                                                                                                                                                                                      • String ID: \\%s\ipc$$netsh
                                                                                                                                                                                                                      • API String ID: 876722747-2229480662
                                                                                                                                                                                                                      • Opcode ID: af621e72f3715d42172cce9770c0fbfeb74e934defe44b875faf847e6c5a6eaa
                                                                                                                                                                                                                      • Instruction ID: 00cf762d1e22fa763ec0b35709d6bfc0e727ed38b663363b0aa252a83fc4e3db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af621e72f3715d42172cce9770c0fbfeb74e934defe44b875faf847e6c5a6eaa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C51B0F2614311BBD714EFA4DC45A6B77FCEB88710F10892EF849D6240EB70D9828B91
                                                                                                                                                                                                                      Function 00A63B75 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132registrywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00A63BA6
                                                                                                                                                                                                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,STRING,00000000,000F003F,00000000,?,00000000), ref: 00A63BE3
                                                                                                                                                                                                                      • _wcsdup.MSVCRT ref: 00A63BF4
                                                                                                                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00A63C07
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 00A63C1A
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 00A63C29
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 00A63C50
                                                                                                                                                                                                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00000001,00000000,00000000), ref: 00A63C90
                                                                                                                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00A63C9E
                                                                                                                                                                                                                      • free.MSVCRT ref: 00A63CA5
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000003E8), ref: 00A63CD4
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcsrchr$Close$CreateFromMessageModulePrintValue_wcsdup_wcsicmpfree
                                                                                                                                                                                                                      • String ID: SOFTWARE\Microsoft\NetSh$STRING
                                                                                                                                                                                                                      • API String ID: 3059030296-2051982046
                                                                                                                                                                                                                      • Opcode ID: 7097dd55500782714dcee2d730b8c9b28402206d48dd373f6128dd8a432e9ebf
                                                                                                                                                                                                                      • Instruction ID: 6641935ba25f7e7f809f9fcf642a2c0b1fcc11a916ec3a6e5e03f8d769dfa4ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7097dd55500782714dcee2d730b8c9b28402206d48dd373f6128dd8a432e9ebf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 75411437600205AFDF289B64ED0EAAB7779EB85311F50406AF50AE7190EF709E46CB50
                                                                                                                                                                                                                      Function 00A62095 Relevance: 22.7, APIs: 15, Instructions: 164memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000010), ref: 00A62141
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62148
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A6215D
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62164
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A62172
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62179
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A62185
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6218C
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A62199
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A621A0
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000068), ref: 00A621B5
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A621D9
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A621E0
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A621F2
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A621F9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Alloc$Free$FromMessageModulePrint
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 794174124-0
                                                                                                                                                                                                                      • Opcode ID: dd41d95a46fb5321dca6d9bc113aebc1d38ab671d3266b817f4e4de85523bb89
                                                                                                                                                                                                                      • Instruction ID: f84d75a020d03414c214c36b8cdaef77ae8f70a27ff3d2ddfd3d28e4caf5d45f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dd41d95a46fb5321dca6d9bc113aebc1d38ab671d3266b817f4e4de85523bb89
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 285117B1A10611EBDB20DFB4DC48AABB7B9EF58311710852AFD4AD3250EB31DD82CB50
                                                                                                                                                                                                                      Function 00A645E0 Relevance: 19.7, APIs: 13, Instructions: 231windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcschr$FromMessageModulePrint$_wcsicmpmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1297359847-0
                                                                                                                                                                                                                      • Opcode ID: f145a7a193d5ace1a48e700a67f4cc27fbd80c0a8e7e2834d737a271561a956e
                                                                                                                                                                                                                      • Instruction ID: b5481812884db7ed6ab1354513fca165416489081566484452ab993e8ce9340f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f145a7a193d5ace1a48e700a67f4cc27fbd80c0a8e7e2834d737a271561a956e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB81F535A00202DFCF19DF68DCD5AAEBBB5FF49710B14806AE9059B6D4EB31AD51CB80
                                                                                                                                                                                                                      Function 00A6562B Relevance: 19.7, APIs: 13, Instructions: 196memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00A6401D: MatchToken.NETSH(?,?,00000000,00000000,?,?,?,00A6566F,?,?,00000000,?), ref: 00A64041
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00000000,?), ref: 00A65705
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6570C
                                                                                                                                                                                                                      • GenericMonitor.NETSH(?,00000004,?,?,00000000,00A6F3D8,?,?,?,00000000,?), ref: 00A65741
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?), ref: 00A65792
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A65799
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,?), ref: 00A657B3
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000004), ref: 00A657C1
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A657C8
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A612B0), ref: 00A65808
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6580F
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A65818
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6581F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Free$Alloc$GenericMatchMonitorTokenmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3287015945-0
                                                                                                                                                                                                                      • Opcode ID: 223d0df00cc06f9ef0b2e4eb8414f36908ca59c3f06049cfd3751e8d53ae701c
                                                                                                                                                                                                                      • Instruction ID: 07806aa8f1a07c23e4517ef88dce937f55d01ee80baec7dcbe549331ea9740b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 223d0df00cc06f9ef0b2e4eb8414f36908ca59c3f06049cfd3751e8d53ae701c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1761EFB1A04B02ABDB10DFB4CC88B6B77B9EF58355F148829F9098B290DB30DC45CB91
                                                                                                                                                                                                                      Function 00A653F7 Relevance: 19.7, APIs: 13, Instructions: 188memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,?,?,?,?), ref: 00A654B6
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A654BD
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?), ref: 00A65547
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6554E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 756756679-0
                                                                                                                                                                                                                      • Opcode ID: 4bd345539fc10d8395b40829f1e6d839127c9106e5db972dbb7321c13be81e77
                                                                                                                                                                                                                      • Instruction ID: 312d5eb4539dd0567a94a14c4b9417226925d8d93716382ff60cac06b9e16c0a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4bd345539fc10d8395b40829f1e6d839127c9106e5db972dbb7321c13be81e77
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6519C71A10B01ABDB10DFB4DC48B6BB7BAEB98721F148425F949CB290DB71CD81CB51
                                                                                                                                                                                                                      Function 00A6846A Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 377windowmemoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000087,00000000,?,?,?,00A64CB5,?,00000002,?,?,?,?), ref: 00A6850E
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00A685E2
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,00000070,?,00000000,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A6881E
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,0000006F,00000000,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A6882B
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,00000069,00000000,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A6885D
                                                                                                                                                                                                                      • PrintMessage.NETSH( %1!s!,?,00000000,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A68888
                                                                                                                                                                                                                      • PrintMessage.NETSH(00A61320,00000000,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A6889E
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,0000006B,00A612B0,00000000,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A688B2
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A688C7
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64CB5,?,00000002,?,?,?), ref: 00A688CE
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePrint$FromModule$Heap$FreeProcess_wcsicmp
                                                                                                                                                                                                                      • String ID: %1!s!
                                                                                                                                                                                                                      • API String ID: 1398923986-2251066777
                                                                                                                                                                                                                      • Opcode ID: 22e264d1392fb645c54c597f8633a0d2d17c6d470c3ebd5bbaf61c6267bc09da
                                                                                                                                                                                                                      • Instruction ID: 4a1122bcb6fb77ef0e26000d8154b0b8d074cf98abe562e9a15ae1992775be4c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22e264d1392fb645c54c597f8633a0d2d17c6d470c3ebd5bbaf61c6267bc09da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5E1B075E002029FDB18CFA4CD95AAEB7BAFF48314F148228E9159B291DF79ED41CB50
                                                                                                                                                                                                                      Function 00A67920 Relevance: 19.6, APIs: 13, Instructions: 80memoryfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,00A6471D,00000000,00004000,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67939
                                                                                                                                                                                                                      • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67940
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A6794A
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67951
                                                                                                                                                                                                                      • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67969
                                                                                                                                                                                                                      • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67970
                                                                                                                                                                                                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(000000B6,00000000,-00000001,00A6471D,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67981
                                                                                                                                                                                                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,-00000001,00A6471D,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67998
                                                                                                                                                                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679A8
                                                                                                                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679B4
                                                                                                                                                                                                                      • PrintError.NETSH(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679BC
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67C05
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67C2C
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67C3A
                                                                                                                                                                                                                        • Part of subcall function 00A67BC0: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67C53
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679C5
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679CC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$ByteCharConsoleErrorFileFreeHandleMultiOutputProcessWideWrite$AllocCloseFormatLastLoadLocalMessagePrintString
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3846968651-0
                                                                                                                                                                                                                      • Opcode ID: 26954d82e5c4f0384f0379f8e976b556f62224b2186ba33e19b3276d81c0d28d
                                                                                                                                                                                                                      • Instruction ID: e0091d806ea2a797872deee54a67a59ededc089957bd97dd5e909a2e233e9ff7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 26954d82e5c4f0384f0379f8e976b556f62224b2186ba33e19b3276d81c0d28d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF1163B2621220BFDB24ABF1EC4CD9B3F7CEB857727108516B50ED2150EA309D42CA70
                                                                                                                                                                                                                      Function 00A6831B Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • qsort.MSVCRT ref: 00A68336
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000001,?,?,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A683A2
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A683A9
                                                                                                                                                                                                                      • PrintMessage.NETSH(%1!-14s! - ,00A73FEC,?,?,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A683BC
                                                                                                                                                                                                                      • PrintMessage.NETSH(%1!-14s! - ,00000000,00A73FEC,00A6131C,?,?,?,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A683F1
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00A73FEC,00A6131C,?,?,?,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A683FC
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A68403
                                                                                                                                                                                                                      • PrintMessage.NETSH(%1!-14s! - ,00A73FEC,00000001,?,?,?,?,?,00A64CB5,?,00000002,?,?,?), ref: 00A68412
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,?,?,?,00A6131C,00000001,?,?,?,?,?,00A64CB5,?,00000002,?,?), ref: 00A68436
                                                                                                                                                                                                                      • PrintMessage.NETSH(00A61320,?,?,?,?,00000001,?,?,?,?,?,00A64CB5,?,00000002,?,?), ref: 00A68447
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePrint$Heap$Process$AllocFreeFromModuleqsort
                                                                                                                                                                                                                      • String ID: %1!-14s! -
                                                                                                                                                                                                                      • API String ID: 3292501186-4170063814
                                                                                                                                                                                                                      • Opcode ID: 4a1d67e291795a0c38b5f0814598a648ea227f82563fbb1a95e751ca07ba0da9
                                                                                                                                                                                                                      • Instruction ID: 22f71a6ff1da07fe56b24a0ea27a1aa1d4f27caaeb994f253e573ac3619188a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a1d67e291795a0c38b5f0814598a648ea227f82563fbb1a95e751ca07ba0da9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F315776600201EFCB24EFE8CC96C6BB7BAEF44314314C92DF84686211EE369D86DA10
                                                                                                                                                                                                                      Function 00A67BC0 Relevance: 18.2, APIs: 12, Instructions: 171windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67C05
                                                                                                                                                                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67C2C
                                                                                                                                                                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67C53
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67C3A
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,00A6471D,00000000,00004000,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67939
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67940
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A6794A
                                                                                                                                                                                                                        • Part of subcall function 00A67920: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67951
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67969
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67970
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(000000B6,00000000,-00000001,00A6471D,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67981
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,-00000001,00A6471D,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67998
                                                                                                                                                                                                                        • Part of subcall function 00A67920: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679A8
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679B4
                                                                                                                                                                                                                        • Part of subcall function 00A67920: PrintError.NETSH(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679BC
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679C5
                                                                                                                                                                                                                        • Part of subcall function 00A67920: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679CC
                                                                                                                                                                                                                      • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(000003EE,?,00004000,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D), ref: 00A67C8C
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67C98
                                                                                                                                                                                                                      • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00004000,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D), ref: 00A67CE5
                                                                                                                                                                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,?,00000000,?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67D0C
                                                                                                                                                                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67D5F
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,00A61714,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67D79
                                                                                                                                                                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001000,00000000,?,00000400,?,00004000,?,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48), ref: 00A67DC3
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67DD1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Handle$Heap$FormatFreeLoadMessageString$ByteCharConsoleErrorFileLocalMultiOutputProcessWideWrite$AllocCloseLastPrint
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1170536616-0
                                                                                                                                                                                                                      • Opcode ID: e98c99ee3fd1aecc1f076785c00454ffc28ba58bcd2c292a904eb19d23606140
                                                                                                                                                                                                                      • Instruction ID: ea5d38d3621f85565997c4d7c267284bd89b1d883f6f20ca658d55b1498157df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e98c99ee3fd1aecc1f076785c00454ffc28ba58bcd2c292a904eb19d23606140
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF517C75624119ABDF60DB94DC48EEE73B8FF44714F00C5A5E94EA7290DA309E89CF60
                                                                                                                                                                                                                      Function 00A648A0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 352COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00A689D7: lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,00A648DC), ref: 00A689EE
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,00A61A54,?,?,?), ref: 00A68A94
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: memcmp.MSVCRT(?,?,00000010,?,?), ref: 00A68AA4
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,ras,?,?), ref: 00A68AD8
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,diagnostics,?,?), ref: 00A68B1C
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,set,?,diagnostics,?,?), ref: 00A68B31
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,show,?,set,?,diagnostics,?,?), ref: 00A68B42
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B54
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B66
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B77
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B88
                                                                                                                                                                                                                        • Part of subcall function 00A68A48: MatchToken.NETSH(?,dump,?,delete,?,add,?,user,?,tracing,?,set,?,diagnostics,?,?), ref: 00A68B99
                                                                                                                                                                                                                      • PrintError.NETSH(00000000,00000000), ref: 00A6492B
                                                                                                                                                                                                                        • Part of subcall function 00A68BE5: RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,System\CurrentControlSet\Services\RemoteAccess\Parameters,MultiTenancyEnabled,00000018,00000000,00000000,00000004), ref: 00A68C30
                                                                                                                                                                                                                        • Part of subcall function 00A68BE5: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00A68C52
                                                                                                                                                                                                                      • MatchToken.NETSH(?,00A61490,?), ref: 00A6497C
                                                                                                                                                                                                                      • MatchToken.NETSH(?,00000000,?), ref: 00A649D3
                                                                                                                                                                                                                      • MatchToken.NETSH(?,?,?), ref: 00A64A32
                                                                                                                                                                                                                      • MatchToken.NETSH(?,?,?), ref: 00A64A72
                                                                                                                                                                                                                        • Part of subcall function 00A651C6: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000000,?,?,?,?,00A64B22,?,?,?,?,?), ref: 00A6525B
                                                                                                                                                                                                                        • Part of subcall function 00A651C6: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64B22,?,?,?,?,?), ref: 00A65262
                                                                                                                                                                                                                        • Part of subcall function 00A651C6: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,?,?,?,00A64B22,?,?,?,?,?), ref: 00A65286
                                                                                                                                                                                                                        • Part of subcall function 00A651C6: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64B22,?,?,?,?,?), ref: 00A6528D
                                                                                                                                                                                                                      • GenericMonitor.NETSH(?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00A64BB9
                                                                                                                                                                                                                        • Part of subcall function 00A648A0: MatchToken.NETSH(?,help,?,?,?), ref: 00A64BDC
                                                                                                                                                                                                                        • Part of subcall function 00A648A0: MatchToken.NETSH(?,00A612B0,?,help,?,?,?), ref: 00A64BF1
                                                                                                                                                                                                                        • Part of subcall function 00A648A0: MatchCmdLine.NETSH(?,-000000FB,?,?,?,00A612B0,?,help,?,?,?), ref: 00A64C3E
                                                                                                                                                                                                                        • Part of subcall function 00A6846A: PrintMessageFromModule.NETSH(00000087,00000000,?,?,?,00A64CB5,?,00000002,?,?,?,?), ref: 00A6850E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Match$Token$Heap$lstrcmpi$PrintProcess$AllocCloseErrorFreeFromGenericLineMessageModuleMonitorValuememcmp
                                                                                                                                                                                                                      • String ID: help
                                                                                                                                                                                                                      • API String ID: 1271217041-143088812
                                                                                                                                                                                                                      • Opcode ID: ba05b30a98fc2df5e6f4b7c105dd82975554e61a73e4b2c2af74ec77efb29496
                                                                                                                                                                                                                      • Instruction ID: b9e191fc26c844ab0a2e8a76ef2582c638d10ae988b90ed521d980963b35516d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba05b30a98fc2df5e6f4b7c105dd82975554e61a73e4b2c2af74ec77efb29496
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FD15A71A0020AAFCF14DFA9CD819AEBBBAFF48344B148159F8159B252D731ED61DF90
                                                                                                                                                                                                                      Function 03C82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: 509dd88ad6c9298a0d89855dc1b7b6ad002650bee98715f103797815ddeab273
                                                                                                                                                                                                                      • Instruction ID: 379fb77fb8036141fa831da1ad3c0553dd36221ea465233daa74debaec3df2c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 509dd88ad6c9298a0d89855dc1b7b6ad002650bee98715f103797815ddeab273
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F3510ABAA00116BFCF20EF99C88497EF7B8BB09204B158569E4A5DB641D334DF54DBE0
                                                                                                                                                                                                                      Function 03CF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: 104265efa42cd8bce8228c96134c91715d09753483b7634a5de264261b080389
                                                                                                                                                                                                                      • Instruction ID: e8adf599d189aabbe35afbead25a312d63e089153c1c87cc9ead9c17a178b8d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 104265efa42cd8bce8228c96134c91715d09753483b7634a5de264261b080389
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A510979A00A456FDBB0EF5CC89097FBBFDEB44200B04886AE595DB641D7B4DB408760
                                                                                                                                                                                                                      Function 00A62FD0 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00A65EB0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000000C,?,00000000,?,?,?,?,00A651DC,?,?,?,00A64B22,?,?,?), ref: 00A65D5D
                                                                                                                                                                                                                        • Part of subcall function 00A65EB0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A651DC,?,?,?,00A64B22,?,?,?,?,?), ref: 00A65D64
                                                                                                                                                                                                                        • Part of subcall function 00A65EB0: PrintMessageFromModule.NETSH(00000068,?,?,00A651DC,?,?,?,00A64B22,?,?,?,?,?), ref: 00A65E91
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A6300B
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63012
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A63032
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63039
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A63058
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6305F
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6307B
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63082
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A63091
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63098
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Free$AllocFromMessageModulePrint
                                                                                                                                                                                                                      • String ID: netsh
                                                                                                                                                                                                                      • API String ID: 695201130-4166728403
                                                                                                                                                                                                                      • Opcode ID: cbad69d7affae1e968d7d265db913e367fe1042a76993525759bf6e8df506d73
                                                                                                                                                                                                                      • Instruction ID: b8450592e90dbfedffa5c47699184bdaf62e58639587b1682398b28707927517
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cbad69d7affae1e968d7d265db913e367fe1042a76993525759bf6e8df506d73
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7213D72620200EFDB219FA5DC48B5ABBB9EB58722F11C41AE50D87252C7709D87CB60
                                                                                                                                                                                                                      Function 00A68130 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00A68153
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Handle
                                                                                                                                                                                                                      • String ID: NetshStopRefreshEvent
                                                                                                                                                                                                                      • API String ID: 2519475695-639338441
                                                                                                                                                                                                                      • Opcode ID: 716cd4281c2451b177e59439e358d5647b0015c9ab6999c4bc512bd44c40af3d
                                                                                                                                                                                                                      • Instruction ID: bf1b86b78a9b33e0b5fb108f1ea827bb0e0a2b9b96b074ba76e391cc3c1f046d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 716cd4281c2451b177e59439e358d5647b0015c9ab6999c4bc512bd44c40af3d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09314F71910215EFDB11DFA4DC44BEEBBB8FF0A721F104615F525E7290DB7858828B64
                                                                                                                                                                                                                      Function 03C77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03CB46FC
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 03CB4787
                                                                                                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03CB4655
                                                                                                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03CB4725
                                                                                                                                                                                                                      • ExecuteOptions, xrefs: 03CB46A0
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03CB4742
                                                                                                                                                                                                                      • Execute=1, xrefs: 03CB4713
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                                                                                                      • Opcode ID: c5bd15b9c12725004b08ff2f504e8ff8cc580fb608b977ab3c64132886d7d0a8
                                                                                                                                                                                                                      • Instruction ID: 20248b7e5602fc1de08cd0a9cc8dfdd10341da478feb99978d16134b6a9ff396
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5bd15b9c12725004b08ff2f504e8ff8cc580fb608b977ab3c64132886d7d0a8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9351E735A0031D7ADF21EBA5DC85BFEB7B9AB04304F1900A9D905EF181E771AB45CB50
                                                                                                                                                                                                                      Function 00A64210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000CB), ref: 00A64257
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                        • Part of subcall function 00A6412C: ConvertGuidToString.NETSH(?,?), ref: 00A6417C
                                                                                                                                                                                                                        • Part of subcall function 00A6412C: PrintMessageFromModule.NETSH(000000C8,?,?), ref: 00A6419F
                                                                                                                                                                                                                        • Part of subcall function 00A6412C: PrintMessageFromModule.NETSH(000000C9), ref: 00A641B6
                                                                                                                                                                                                                        • Part of subcall function 00A6412C: PrintMessageFromModule.NETSH(000000CA,?), ref: 00A641D3
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000CC), ref: 00A64296
                                                                                                                                                                                                                      • PrintMessage.NETSH(%1!s!,00000000), ref: 00A642AB
                                                                                                                                                                                                                      • ConvertGuidToString.NETSH(?,?), ref: 00A642ED
                                                                                                                                                                                                                      • ConvertGuidToString.NETSH(?,?), ref: 00A64301
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000CD), ref: 00A64315
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000CE,?,?,?), ref: 00A64345
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePrint$FromModule$String$ConvertGuid$AddressLoadProc
                                                                                                                                                                                                                      • String ID: %1!s!
                                                                                                                                                                                                                      • API String ID: 953968408-1485915839
                                                                                                                                                                                                                      • Opcode ID: cd1f54835c4bf6680fa104c402b80d7808ef191df3be9ef9815d9bf7b313bfcb
                                                                                                                                                                                                                      • Instruction ID: 07ff407ad5828c1127f68d0b5b6309dabea262f679a7838a01ff6f7211c693d9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cd1f54835c4bf6680fa104c402b80d7808ef191df3be9ef9815d9bf7b313bfcb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 223106B26102049BEB24DBA8ED95F5A73FAFB88308F518169E50DC7191DF31AD86CB10
                                                                                                                                                                                                                      Function 00A63861 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90windowlibraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000), ref: 00A63896
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(0000006A,?,?,00000000,00000000), ref: 00A638B2
                                                                                                                                                                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,InitHelperDll,?,00000000,00000000), ref: 00A638CA
                                                                                                                                                                                                                      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,00000000), ref: 00A638FB
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(?,000003ED,InitHelperDll,?,?,00000000,00000000), ref: 00A638F2
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000088,InitHelperDll,?,00000000,?,00000000,00000000), ref: 00A63960
                                                                                                                                                                                                                        • Part of subcall function 00A63CED: _wcsicmp.MSVCRT ref: 00A63D15
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FromMessageModulePrint$AddressLibraryLoadProc$FreeString_wcsicmp
                                                                                                                                                                                                                      • String ID: InitHelperDll$InitHelperDll
                                                                                                                                                                                                                      • API String ID: 4046571770-3952794692
                                                                                                                                                                                                                      • Opcode ID: d6aa078ff917bdefcbf1f178ef3f50dcff2387be4e3c5e140d504cc7216bee4f
                                                                                                                                                                                                                      • Instruction ID: 74b0fcc44ccee01e854c6574fb897c5e46cdda25add2ee8ef1f218dc39fb5c88
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6aa078ff917bdefcbf1f178ef3f50dcff2387be4e3c5e140d504cc7216bee4f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63310572B50300ABDB11DB98DC95E3A77B5FB84310B408829F80ADB2A1DA75AD43CB41
                                                                                                                                                                                                                      Function 00A64F67 Relevance: 13.7, APIs: 9, Instructions: 240memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000000C,00000000,?,?,?,?,?,?,00A6603A,00000000,?,?,?,?,?), ref: 00A65057
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00A6603A,00000000,?,?,?,?,?,?,?), ref: 00A6505E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1617791916-0
                                                                                                                                                                                                                      • Opcode ID: 042a804683699f30705dbe16dfb403310d7cf5315addedbf930a0c8e548a768f
                                                                                                                                                                                                                      • Instruction ID: 2fd3b7283284d7863de2e3a149f38c8a8a0186f94a193da26a6e344c52dc6b9c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 042a804683699f30705dbe16dfb403310d7cf5315addedbf930a0c8e548a768f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B571F475E006129BDB24AF78CC507BAB7F1EF58750F55412AE98ADB380EA31CD82C790
                                                                                                                                                                                                                      Function 00A676D4 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,00000000,00000000,?), ref: 00A676EF
                                                                                                                                                                                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00A676F6
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?), ref: 00A67711
                                                                                                                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00A67718
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,00000001,?,00000000), ref: 00A6772C
                                                                                                                                                                                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00A67733
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?), ref: 00A6778E
                                                                                                                                                                                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00A67795
                                                                                                                                                                                                                      • fputwc.MSVCRT ref: 00A677AA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ConsoleHandle$Mode$Readfputwc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2610215220-0
                                                                                                                                                                                                                      • Opcode ID: 55a11e502aafff4a6c3582a2384357cab3527ce6c7b8cf2015f341d05e239012
                                                                                                                                                                                                                      • Instruction ID: f896ce5c8851359caa7d3383fabefe91d3b0a6fe5c7b7cd50110aa512486b742
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55a11e502aafff4a6c3582a2384357cab3527ce6c7b8cf2015f341d05e239012
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9921B476924106EFDB209BE8DC48AEE777CEF04324F204626F969D61D0D7708D82CB61
                                                                                                                                                                                                                      Function 00A67FB0 Relevance: 12.1, APIs: 8, Instructions: 65memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00008000), ref: 00A67FCD
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A67FD4
                                                                                                                                                                                                                      • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00004000), ref: 00A67FEC
                                                                                                                                                                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,00000000,00000000,00000000,?,00000000,?), ref: 00A68007
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,00A6471D,00000000,00004000,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67939
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67940
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A6794A
                                                                                                                                                                                                                        • Part of subcall function 00A67920: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67951
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,000000B6,000000FF,00000000,00000000,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67969
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67970
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(000000B6,00000000,-00000001,00A6471D,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67981
                                                                                                                                                                                                                        • Part of subcall function 00A67920: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,-00000001,00A6471D,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A67998
                                                                                                                                                                                                                        • Part of subcall function 00A67920: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679A8
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679B4
                                                                                                                                                                                                                        • Part of subcall function 00A67920: PrintError.NETSH(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679BC
                                                                                                                                                                                                                        • Part of subcall function 00A67920: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679C5
                                                                                                                                                                                                                        • Part of subcall function 00A67920: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67E48,?,00A67F23,?,00A6471D,000000B6,?), ref: 00A679CC
                                                                                                                                                                                                                        • Part of subcall function 00A69CA9: __iob_func.MSVCRT ref: 00A69CAE
                                                                                                                                                                                                                      • fflush.MSVCRT ref: 00A68026
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A68030
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A68037
                                                                                                                                                                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00A68045
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Free$AllocByteCharConsoleErrorFileMultiOutputWideWrite$CloseFormatHandleLastLoadLocalMessagePrintString__iob_funcfflush
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2883199061-0
                                                                                                                                                                                                                      • Opcode ID: c1bf586a548a9404811d3b7b23060f5ddbd03c1dbcb4428428ff52c0c9964b8c
                                                                                                                                                                                                                      • Instruction ID: 79768dae40be110e2ff0aaf60a4118aa1e6e26f19039560271d9ea635e42f626
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c1bf586a548a9404811d3b7b23060f5ddbd03c1dbcb4428428ff52c0c9964b8c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64114CB6510208BFDB109FE5EC49EDF7B7DFB48361B108526FA0992150DA719D46CA60
                                                                                                                                                                                                                      Function 00A694A3 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00A69D60,0000000C), ref: 00A694E0
                                                                                                                                                                                                                      • _amsg_exit.MSVCRT ref: 00A694F5
                                                                                                                                                                                                                      • _initterm.MSVCRT ref: 00A69549
                                                                                                                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00A69575
                                                                                                                                                                                                                      • exit.MSVCRT ref: 00A695BC
                                                                                                                                                                                                                      • _XcptFilter.MSVCRT ref: 00A695CE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 796493780-0
                                                                                                                                                                                                                      • Opcode ID: d04f8e630a48d6eb757cb05bff90e6f8e32b2d76576d9f8ec237a5c037517ae3
                                                                                                                                                                                                                      • Instruction ID: 58a82e29ea7c66d9d0b7e08753f7ed50bc6326fcb68f0d1d6e70ba190dd64cfa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d04f8e630a48d6eb757cb05bff90e6f8e32b2d76576d9f8ec237a5c037517ae3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94319577A84311EFDF26DFA4ED4561A77B8FB04760F118129E50A9B2E0DF314A82DB50
                                                                                                                                                                                                                      Function 00A630D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00004008), ref: 00A630E5
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A630EC
                                                                                                                                                                                                                      • ProcessCommand.NETSH(?,?,?,netsh), ref: 00A63152
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,netsh), ref: 00A63165
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6316C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocCommandFree
                                                                                                                                                                                                                      • String ID: netsh
                                                                                                                                                                                                                      • API String ID: 2704014861-4166728403
                                                                                                                                                                                                                      • Opcode ID: a496c393c5125229d9cfc1ab363f7352f0ef75cb418e208d905ffb500513fe89
                                                                                                                                                                                                                      • Instruction ID: eeecaab12c6616521edb88254f8975cbc5e26c3f6eff64a009eab5003b4dd3ea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a496c393c5125229d9cfc1ab363f7352f0ef75cb418e208d905ffb500513fe89
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA11B172A00605ABCB11DFA4DD08E5E77B9AB85711F198119B9099B341CB30DE43C7A1
                                                                                                                                                                                                                      Function 00A644DB Relevance: 10.1, APIs: 8, Instructions: 100memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00A64512
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,?,?,?,00A64828), ref: 00A64548
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64828), ref: 00A6454F
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,00A64828), ref: 00A6456A
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,00A64828), ref: 00A6457F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,00A64828), ref: 00A645A9
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00A64828), ref: 00A645BD
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00A64828), ref: 00A645C4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$memcpy$Process$AllocFree_wcsicmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1032568189-0
                                                                                                                                                                                                                      • Opcode ID: 4ee692dcd977794a1b70335ea8498afc78797bd2244cee56ed8b83417e080290
                                                                                                                                                                                                                      • Instruction ID: 988147f0bec5cbb5d5a716e53ad158bfbb798dfe7d40322ea9fede47c8211978
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ee692dcd977794a1b70335ea8498afc78797bd2244cee56ed8b83417e080290
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02319E72600A019FD7289FB9CE85927BBFAFF88315704592EE247C6DA0DA31FC518B10
                                                                                                                                                                                                                      Function 03D16940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                      • Instruction ID: e532b9ff79d63fd7d9270806825c8269d0ff01912aeebf21d0e6a2623eec83c7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D022475608341AFD305DF28D990A6BBBE5FFC8704F048A2DF9898B264DB31E915CB52
                                                                                                                                                                                                                      Function 00A632CF Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00A632C6,?,?,?,00000000,?,?), ref: 00A632EC
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A632C6,?,?,?,00000000,?,?,?,00A62F69,?,?), ref: 00A632F3
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,00A632C6,?,?,?,00000000,?,?,?,00A62F69,?,?), ref: 00A63309
                                                                                                                                                                                                                      • qsort.MSVCRT ref: 00A6331A
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A63350
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63357
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocFreememcpyqsort
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3964738767-0
                                                                                                                                                                                                                      • Opcode ID: 10b3c35fe533c7119b00e2861b02e0d77200796ae577c9aceee0b49b589eda37
                                                                                                                                                                                                                      • Instruction ID: 469e55f58a597549b812460a8771614fd9d136b4e9ac6d389ea9a3c83ec9d19f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 10b3c35fe533c7119b00e2861b02e0d77200796ae577c9aceee0b49b589eda37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09119432500604FFDF119BA5DD85EAFBBB8FF58315F10441AF64696650CA74AA429B20
                                                                                                                                                                                                                      Function 00A67B4B Relevance: 9.0, APIs: 6, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000044,00000000,00000000,?,?,?,00A67C75,-00000001,00000000,00000000,?,00A679C1,00000000,00000000), ref: 00A67B61
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67C75,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D), ref: 00A67B68
                                                                                                                                                                                                                      • CreateWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0(0000001A,00000000,00000000,00A6471D,?,00A67C75,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48), ref: 00A67B7C
                                                                                                                                                                                                                      • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000000,000000B6,?,00A67C75,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67B8C
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00A67C75,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23), ref: 00A67B9F
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A67C75,-00000001,00000000,00000000,?,00A679C1,00000000,00000000,?,00A67E48,?,00A67F23,?,00A6471D), ref: 00A67BA6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocCheckCreateFreeKnownMembershipTokenWell
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2370236486-0
                                                                                                                                                                                                                      • Opcode ID: 8ccf050671a90a57506100cc36d460ad2aa30774dbc88894c7943a39d8203c35
                                                                                                                                                                                                                      • Instruction ID: c8643e975f3649a40243e1e56bb50f1ffaeabec6185ce86ed4c35cd9fd7d2952
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ccf050671a90a57506100cc36d460ad2aa30774dbc88894c7943a39d8203c35
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2011DB2911115BB9B20DBA69C4CDEFBEBCDF86B65B014156BA09D2110D7708D42D6B0
                                                                                                                                                                                                                      Function 00A67A20 Relevance: 9.0, APIs: 6, Instructions: 46memorywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00008000), ref: 00A67A3A
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A67A41
                                                                                                                                                                                                                      • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00004000), ref: 00A67A59
                                                                                                                                                                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,00000000,00000000,00000000,?,00000000,?), ref: 00A67A74
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A67A7C
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A67A83
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocFormatFreeLoadMessageString
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3754540327-0
                                                                                                                                                                                                                      • Opcode ID: 5491297bdc2b5c3e6adf7eaaa1b0d2d0b18a887009fa15fbf558e2fe6eb98591
                                                                                                                                                                                                                      • Instruction ID: a52c112a3763b5894bb2e908ae08d2218be2105d7cde2bc31e8d7dfcdc0aad8e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5491297bdc2b5c3e6adf7eaaa1b0d2d0b18a887009fa15fbf558e2fe6eb98591
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A01FBB6910114BBDB209BE6DC0CEDF7EBCEB89762B008056BA0DD2150D6709A42CA60
                                                                                                                                                                                                                      Function 00A68230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000000), ref: 00A68244
                                                                                                                                                                                                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 00A68250
                                                                                                                                                                                                                      • ResetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00A6825D
                                                                                                                                                                                                                      • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00A68060,00000000), ref: 00A6826A
                                                                                                                                                                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00A68273
                                                                                                                                                                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00A6827C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseConsoleHandle$CtrlCursorEventHandlerObjectPositionResetSingleWait
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2461670359-0
                                                                                                                                                                                                                      • Opcode ID: d30b3bbefa1b2cdbcdbe72bab87326eedff09055bd21c48e30dd297da0a02813
                                                                                                                                                                                                                      • Instruction ID: 2e8da251c420006c7492104b2df691bce59480f21a81d2c7ffbb2c93a8288c0a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d30b3bbefa1b2cdbcdbe72bab87326eedff09055bd21c48e30dd297da0a02813
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1BF0F471220209FFCF41AFB0DC08A9E3B79FB48341F14C625F91AC5060DB718AA6DB50
                                                                                                                                                                                                                      Function 03C8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-$0$0
                                                                                                                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                                                                                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction ID: aef3d5f44a4d40ba59e9055c7f6c6710cb36acd96cef38f3705d966c99d312d5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E881BE70E452499ADF28EF68C8917FEBBA5AF45318F1C465AD861EB390C6349F408B60
                                                                                                                                                                                                                      Function 03CF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                                                                                                                      • Opcode ID: dd6849cd5818d10b122de471ba79343a1ba9a3a4c271bacaf8c229b91a2863b8
                                                                                                                                                                                                                      • Instruction ID: 7092ca923067a8df4b7ce562a2d5ab911eca53bb969eb744790180283465b430
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dd6849cd5818d10b122de471ba79343a1ba9a3a4c271bacaf8c229b91a2863b8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF21817AA00219AFDB50EF69CC40AEEB7F8EF44644F094526EA05E7200E731DA019BA5
                                                                                                                                                                                                                      Function 00A63612 Relevance: 7.6, APIs: 6, Instructions: 89memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00A63695
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6369C
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?), ref: 00A636B2
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?), ref: 00A636D5
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A636E7
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A636EE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Processmemcpy$AllocFree
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1904491526-0
                                                                                                                                                                                                                      • Opcode ID: 83b2bf7b605e6932dce9266ac7878ed18e07e572fcb86641ce851412d6e0c5cf
                                                                                                                                                                                                                      • Instruction ID: c2244a2e7e13c306086b02d48adcefcb4a8cd38c83aafb84b16d6f73a147dc92
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83b2bf7b605e6932dce9266ac7878ed18e07e572fcb86641ce851412d6e0c5cf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB21C1F6A00111BFDF00DFA4DD49A4ABBB8EB44764B018065E809E7250D730EE82DA90
                                                                                                                                                                                                                      Function 00A62249 Relevance: 7.6, APIs: 6, Instructions: 75memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A622CF
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A622D6
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A622E1
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A622E8
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A622F1
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A622F8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3859560861-0
                                                                                                                                                                                                                      • Opcode ID: 670a177e742d0c6011e0aa3708d6db0fea7b2a2c665c21086a78e1503b5534f6
                                                                                                                                                                                                                      • Instruction ID: 3451f05804fd7e34c4c44233a94d562932797a74e943f1b2386d668dda1f4978
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 670a177e742d0c6011e0aa3708d6db0fea7b2a2c665c21086a78e1503b5534f6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D021C671A10101EFDB149FB4DC54BAAB776FF99725F18C065E6098B250E7319D82CB50
                                                                                                                                                                                                                      Function 00A6443D Relevance: 7.6, APIs: 6, Instructions: 65memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,00A63604), ref: 00A64470
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,00A63604), ref: 00A64477
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,?,00000000,00A63604), ref: 00A6448E
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,?,?,00000000,00A63604), ref: 00A644B0
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00A63604), ref: 00A644C0
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00A63604), ref: 00A644C7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Processmemcpy$AllocFree
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1904491526-0
                                                                                                                                                                                                                      • Opcode ID: 2b508190f2bf244664019998f256958cbf1bbe75cf744f154ae6601fd56923c3
                                                                                                                                                                                                                      • Instruction ID: d8959b1fca8e566aabfe36e4a2b12a41a52a39122ca03cebce72a0767434266d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b508190f2bf244664019998f256958cbf1bbe75cf744f154ae6601fd56923c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6411EB72214A00AFD7189BB4DD9EA57F7BDFB4C310B40591EF24BC6990DA70F8418B10
                                                                                                                                                                                                                      Function 00A6809E Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00A680BE
                                                                                                                                                                                                                      • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 00A680DA
                                                                                                                                                                                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00A680E5
                                                                                                                                                                                                                      • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?), ref: 00A68104
                                                                                                                                                                                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00A6810E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Console$BufferFillInfoOutputScreen$AttributeCharacterCursorPosition
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2018928815-0
                                                                                                                                                                                                                      • Opcode ID: 311791f8df3aef0aa44fc5a1c26814c2155b8c0388292aac4d7aa90e2b33807e
                                                                                                                                                                                                                      • Instruction ID: 288758b8be17b62341abfd4111566f4749dc444d40368521628e95ef082a194e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 311791f8df3aef0aa44fc5a1c26814c2155b8c0388292aac4d7aa90e2b33807e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C11F072910129AB9F01DBE5DD88DFFBBBCFB49600B00402AF905F2110DB38AA06DB71
                                                                                                                                                                                                                      Function 03C6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03CB02BD
                                                                                                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03CB02E7
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 03CB031E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                                                                                                      • Opcode ID: df08c1b228a7eaad7264d8d0b8aefb655e38c1b4b5eab522d1973569f4288f39
                                                                                                                                                                                                                      • Instruction ID: 8f30ada1aad5501366e19e0a083723e0b206f5e0b0f14616f9f80c3cf87a301c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: df08c1b228a7eaad7264d8d0b8aefb655e38c1b4b5eab522d1973569f4288f39
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EE1CA316087419FD724CF28D884B6AB7E0BF89324F180A6DF5A5CB2E1D775EA44CB52
                                                                                                                                                                                                                      Function 03C7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03CB7B7F
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 03CB7BAC
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 03CB7B8E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 0-871070163
                                                                                                                                                                                                                      • Opcode ID: ecef6352d5f006aece2ffc3839fea763215ea12560ef691dd07482acead21bb3
                                                                                                                                                                                                                      • Instruction ID: eee9b899b691cdc3306e3c1a021219b1780e0e73746ec4fa09fe805d271999ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ecef6352d5f006aece2ffc3839fea763215ea12560ef691dd07482acead21bb3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4441BE393047029FD724DE25CC40B6AB7E5EF89B10F140A2DFD5ADB680DB31EA068B91
                                                                                                                                                                                                                      Function 00A62DE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PrintMessage.NETSH(%1!s!,?), ref: 00A62F05
                                                                                                                                                                                                                        • Part of subcall function 00A67241: _wcsicmp.MSVCRT ref: 00A67267
                                                                                                                                                                                                                        • Part of subcall function 00A67241: _wcsicmp.MSVCRT ref: 00A67287
                                                                                                                                                                                                                        • Part of subcall function 00A67241: _wcsicmp.MSVCRT ref: 00A672B0
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000065), ref: 00A62E37
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000064,?), ref: 00A62F1A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePrint_wcsicmp$FromModule$AddressLoadProcString
                                                                                                                                                                                                                      • String ID: %1!s!
                                                                                                                                                                                                                      • API String ID: 3716039470-1485915839
                                                                                                                                                                                                                      • Opcode ID: 98ddd488e1940fe6a52ed56d54a1499c9ea1ee0c685e7e313532310460b9ae5b
                                                                                                                                                                                                                      • Instruction ID: c2857f7d333bfaf27585218857f2e1d762e00c5329eee8f581ed998a631d33df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 98ddd488e1940fe6a52ed56d54a1499c9ea1ee0c685e7e313532310460b9ae5b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE416A366001189BCF21EFA4DD91B9E7772FF44300F1581A5EB0A77291CB32AE51CB99
                                                                                                                                                                                                                      Function 03C7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03CB728C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03CB7294
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 03CB72C1
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 03CB72A3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                                                                                                                      • Opcode ID: a1bc301069ea5529d272ef2f1c9b18f39f0b15a365c3a13cc2337f9dc372bfde
                                                                                                                                                                                                                      • Instruction ID: c35c59930f4e74840bf8680c78256eb6175391c7444c18b9a9dbdd58cb239a37
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1bc301069ea5529d272ef2f1c9b18f39f0b15a365c3a13cc2337f9dc372bfde
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4341CE36600306ABC720DE25CC41BAAB7B5FF85710F190619FD95EF240DB21F9529BD1
                                                                                                                                                                                                                      Function 03CF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                                                                                                                      • Opcode ID: f0901a46e2b59d50ffae4dcebbc10f9589d488ba6549e40815126ed678372f68
                                                                                                                                                                                                                      • Instruction ID: c54d69d0b20866da5790f59f01886fea536679e696c0108483d8b562fae5b282
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0901a46e2b59d50ffae4dcebbc10f9589d488ba6549e40815126ed678372f68
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C31987AA006199FDB60DF29CC40BEEB7FCEF44610F450956E949E7200EB30DB489BA0
                                                                                                                                                                                                                      Function 00A68BE5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,System\CurrentControlSet\Services\RemoteAccess\Parameters,MultiTenancyEnabled,00000018,00000000,00000000,00000004), ref: 00A68C30
                                                                                                                                                                                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00A68C52
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • MultiTenancyEnabled, xrefs: 00A68C23
                                                                                                                                                                                                                      • System\CurrentControlSet\Services\RemoteAccess\Parameters, xrefs: 00A68C28
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseValue
                                                                                                                                                                                                                      • String ID: MultiTenancyEnabled$System\CurrentControlSet\Services\RemoteAccess\Parameters
                                                                                                                                                                                                                      • API String ID: 3132538880-1071825540
                                                                                                                                                                                                                      • Opcode ID: 65f91a2ef22133f67403253728eeb10cdb59229f7f9a5b609f679ee9760fa3c9
                                                                                                                                                                                                                      • Instruction ID: 2db2a7391a2bd810abced1a18b6e133f3917be5ad34bfc875f05165fbcf4b0ae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65f91a2ef22133f67403253728eeb10cdb59229f7f9a5b609f679ee9760fa3c9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF01ADB2C41218FBCB21CBD4CD09BDE7BB8EB14752F108261E905B2190DB348F99DBA0
                                                                                                                                                                                                                      Function 00A64380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MatchToken.NETSH(?,help), ref: 00A6439F
                                                                                                                                                                                                                        • Part of subcall function 00A67690: _wcsnicmp.MSVCRT ref: 00A676BC
                                                                                                                                                                                                                      • MatchToken.NETSH(?,00A612B0,?,help), ref: 00A643B0
                                                                                                                                                                                                                        • Part of subcall function 00A63B75: _wcsicmp.MSVCRT ref: 00A63BA6
                                                                                                                                                                                                                        • Part of subcall function 00A63B75: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\NetSh,00000000,STRING,00000000,000F003F,00000000,?,00000000), ref: 00A63BE3
                                                                                                                                                                                                                        • Part of subcall function 00A63B75: _wcsdup.MSVCRT ref: 00A63BF4
                                                                                                                                                                                                                        • Part of subcall function 00A63B75: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00A63C07
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(00000068,?,00A612B0,?,help), ref: 00A643CE
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MatchToken$AddressCloseCreateFromLoadMessageModulePrintProcString_wcsdup_wcsicmp_wcsnicmp
                                                                                                                                                                                                                      • String ID: help
                                                                                                                                                                                                                      • API String ID: 611077269-143088812
                                                                                                                                                                                                                      • Opcode ID: ce69d90b9c4ba20dc86b279e9a46c34a06fed6258264aa973f525be78ddde4ce
                                                                                                                                                                                                                      • Instruction ID: 103e93b753306bdeddc3d4b2418e814bb7e200cf24e05096d792b31a01a7cc44
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce69d90b9c4ba20dc86b279e9a46c34a06fed6258264aa973f525be78ddde4ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CFF06D3A214616AADB116F9CDE56D6E3B79EB98324F104027F900DB250EB26EC22C752
                                                                                                                                                                                                                      Function 00A68060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • OpenEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,NetshStopRefreshEvent), ref: 00A68078
                                                                                                                                                                                                                      • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00A68085
                                                                                                                                                                                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00A6808C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Event$CloseHandleOpen
                                                                                                                                                                                                                      • String ID: NetshStopRefreshEvent
                                                                                                                                                                                                                      • API String ID: 1560313832-639338441
                                                                                                                                                                                                                      • Opcode ID: bb3712c89a8dd76e5ca54ec580fa186fc44a03622fa3d4a0fc542529404fc916
                                                                                                                                                                                                                      • Instruction ID: 5a4bd27294384b4f922015d8f60d6c7e530f4f44655c6e652b619db5a9ddb070
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb3712c89a8dd76e5ca54ec580fa186fc44a03622fa3d4a0fc542529404fc916
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03E07232A81B24ABCB22A3B15C0CF6B3ABC9B08712F828621F60DE1050CE748C4681E0
                                                                                                                                                                                                                      Function 00A634FC Relevance: 6.3, APIs: 5, Instructions: 63memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?), ref: 00A63522
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63529
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?), ref: 00A63548
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A6358E
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A63595
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$AllocFreememcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3405790324-0
                                                                                                                                                                                                                      • Opcode ID: 94b780c5e91f7e61a09fa9276b8c59f00515ae6c91b2eee799845bb99a262fb6
                                                                                                                                                                                                                      • Instruction ID: b9c115e060d8e910e6459470e76e2194451454f41b8a05743ad028a96c198aa8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94b780c5e91f7e61a09fa9276b8c59f00515ae6c91b2eee799845bb99a262fb6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 241190F6840205AFDB00DFA4DC0599ABBB9FB89311F11C066E90DDB250D770AA86DF50
                                                                                                                                                                                                                      Function 00A6412C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ConvertGuidToString.NETSH(?,?), ref: 00A6417C
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000C8,?,?), ref: 00A6419F
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000C9), ref: 00A641B6
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(000000CA,?), ref: 00A641D3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FromMessageModulePrint$String$AddressConvertGuidLoadProc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2510173387-0
                                                                                                                                                                                                                      • Opcode ID: ad5c80d86ad651e09919b21dc46ab2638f92ead156e5c151b3ebf6a254151259
                                                                                                                                                                                                                      • Instruction ID: 4c8fc95cd0e8f9e0f02cab7d478be9daa0c97712eb885467542dec15ca8a3ad1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad5c80d86ad651e09919b21dc46ab2638f92ead156e5c151b3ebf6a254151259
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E22195729102099FDF08DFA4DD81CAEB7B9FF54300F104169E5199F251EB31AD86CB80
                                                                                                                                                                                                                      Function 00A6694A Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wfopen.MSVCRT ref: 00A66969
                                                                                                                                                                                                                      • PrintMessageFromModule.NETSH(0000006C,?,?,?,?,00A62514), ref: 00A66980
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                        • Part of subcall function 00A67EA0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00A66988
                                                                                                                                                                                                                      • fclose.MSVCRT ref: 00A669B7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressErrorFromLastLoadMessageModulePrintProcString_wfopenfclose
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2254135562-0
                                                                                                                                                                                                                      • Opcode ID: e59953f86dfe0d3291fd398c56bb1e40c462300b8812c144cc1a2579b14bfeaf
                                                                                                                                                                                                                      • Instruction ID: 54984f78f9f1d06ba12191e42bc7556342dfd6b08357d81724d30d3276ff98cf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e59953f86dfe0d3291fd398c56bb1e40c462300b8812c144cc1a2579b14bfeaf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA0184B3A00210ABC714DBEABC0485ABBF9E785760715812AF50DD3210EB709D028B90
                                                                                                                                                                                                                      Function 00A67F40 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,?,00000000,?,00000000,?), ref: 00A67F68
                                                                                                                                                                                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00A67F74
                                                                                                                                                                                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00A67F7E
                                                                                                                                                                                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00A67F97
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorFormatFreeHandleLastLocalMessage
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1910557688-0
                                                                                                                                                                                                                      • Opcode ID: a1e88abbb37e95b2d393bb52f0066f6b5496100c31e44c67723198e7b6ae7b75
                                                                                                                                                                                                                      • Instruction ID: 1317d8d25d93649b1dc5bd46622c714015763dc1478fcd19f28d79ef39adde86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1e88abbb37e95b2d393bb52f0066f6b5496100c31e44c67723198e7b6ae7b75
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ABF08C72924108FFDF059B90DC09DEE7BB9EB44310F204256F81A92250E7309F41DB50
                                                                                                                                                                                                                      Function 00A69400 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00A699B8: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00A699BF
                                                                                                                                                                                                                      • __set_app_type.MSVCRT ref: 00A69412
                                                                                                                                                                                                                      • __p__fmode.MSVCRT ref: 00A69428
                                                                                                                                                                                                                      • __p__commode.MSVCRT ref: 00A69436
                                                                                                                                                                                                                      • __setusermatherr.MSVCRT ref: 00A69457
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1632413811-0
                                                                                                                                                                                                                      • Opcode ID: 2827b1f069f138bd902eeb9b16efb80e46c66239e28c82c80acbcdb8e74448af
                                                                                                                                                                                                                      • Instruction ID: a8d211100fbf859abbeb9ce73eaeb84bdca2258c98917eacce9f3663c2b33102
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2827b1f069f138bd902eeb9b16efb80e46c66239e28c82c80acbcdb8e74448af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54F0DAB25043429FDB18EFF0AD4E5463BB4E744371B51871AE466862E0CB7581D3DA10
                                                                                                                                                                                                                      Function 03C87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-
                                                                                                                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                                                                                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction ID: e9982d5cec6a36cac02b2b842b317606f5ba4dc79e6387d8679df3aaefc033e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62919471E002159FDB24EF6ACC816BEB7A5AF44368F78455AE865EB2C0F7309B408750
                                                                                                                                                                                                                      Function 03C49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $$@
                                                                                                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                                                                                                      • Opcode ID: a9693f5c5efa89d2024516c56c75b301a0babef237dd1858e279613da06b163c
                                                                                                                                                                                                                      • Instruction ID: d1ce6fa1cf9720dc2bbd7b7c9ebe09565ea5f346cd0148d6c4735f1bf743b122
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a9693f5c5efa89d2024516c56c75b301a0babef237dd1858e279613da06b163c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18812876D002799BDB21DB54CC44BEEB7B8AF08714F0545EAA909FB280D7309E84CFA4
                                                                                                                                                                                                                      Function 03CCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 03CCCFBD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4565640687.0000000003C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C10000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003D3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4565640687.0000000003DAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_3c10000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CallFilterFunc@8
                                                                                                                                                                                                                      • String ID: @$@4Cw@4Cw
                                                                                                                                                                                                                      • API String ID: 4062629308-3101775584
                                                                                                                                                                                                                      • Opcode ID: 8b74790a204979b32c94487146750723a9983be316a1df1d8739b8e1a5c70a12
                                                                                                                                                                                                                      • Instruction ID: 40bf33cd0935bdcc7b9293bea4e3855c47622fd537e947ecb696d5d6f764a62f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b74790a204979b32c94487146750723a9983be316a1df1d8739b8e1a5c70a12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8041BD75910254DFCB21EFA9C840AAEBBB8EF45B00F05403EE915DF254E734D941DB68
                                                                                                                                                                                                                      Function 00A67EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,?,?,00004000,?,00000000,?,?,00A6471D,000000B6,?), ref: 00A67ED0
                                                                                                                                                                                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00A6471D,GetResourceString,?,00A6471D,000000B6,?), ref: 00A67EE2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressLoadProcString
                                                                                                                                                                                                                      • String ID: GetResourceString
                                                                                                                                                                                                                      • API String ID: 2390443819-1598891890
                                                                                                                                                                                                                      • Opcode ID: f3313ade69c2ee49fe39d151991dca32fa1aeaf3ada3b6b2f9d1daf5923e9dc8
                                                                                                                                                                                                                      • Instruction ID: b2afe45b148ba46b38ff48da3dcd0619f5c1a49e47223528f952a27dce4662e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3313ade69c2ee49fe39d151991dca32fa1aeaf3ada3b6b2f9d1daf5923e9dc8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A016135510219ABCB21DF64DC449AEB7B9FB84754F0181A6E909A3250EE30DE498F90
                                                                                                                                                                                                                      Function 00A64CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00A64CDC
                                                                                                                                                                                                                      • RegisterContext.NETSH(?), ref: 00A64D22
                                                                                                                                                                                                                        • Part of subcall function 00A645E0: wcschr.MSVCRT ref: 00A64620
                                                                                                                                                                                                                        • Part of subcall function 00A645E0: wcschr.MSVCRT ref: 00A64635
                                                                                                                                                                                                                        • Part of subcall function 00A645E0: wcschr.MSVCRT ref: 00A64675
                                                                                                                                                                                                                        • Part of subcall function 00A645E0: wcschr.MSVCRT ref: 00A64685
                                                                                                                                                                                                                        • Part of subcall function 00A645E0: PrintMessageFromModule.NETSH(000000B5,?), ref: 00A6469E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcschr$ContextFromMessageModulePrintRegistermemset
                                                                                                                                                                                                                      • String ID: netsh
                                                                                                                                                                                                                      • API String ID: 1453721150-4166728403
                                                                                                                                                                                                                      • Opcode ID: a99af01d002a60fb709a3acc52b1b680c95ab72360eb4703bbb3d0f8e738958a
                                                                                                                                                                                                                      • Instruction ID: b2da9ea27d69c78a221f82da65eee069c2c5dfc14bd44d24bc172a22e852bba3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a99af01d002a60fb709a3acc52b1b680c95ab72360eb4703bbb3d0f8e738958a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02013CB1D1020C9BDB00DF95C909BCFBBB8AB45318F144029E514BB241DBB55A0ACBA9
                                                                                                                                                                                                                      Function 00A651C6 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00A65EB0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000000C,?,00000000,?,?,?,?,00A651DC,?,?,?,00A64B22,?,?,?), ref: 00A65D5D
                                                                                                                                                                                                                        • Part of subcall function 00A65EB0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A651DC,?,?,?,00A64B22,?,?,?,?,?), ref: 00A65D64
                                                                                                                                                                                                                        • Part of subcall function 00A65EB0: PrintMessageFromModule.NETSH(00000068,?,?,00A651DC,?,?,?,00A64B22,?,?,?,?,?), ref: 00A65E91
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000000,?,?,?,?,00A64B22,?,?,?,?,?), ref: 00A6525B
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64B22,?,?,?,?,?), ref: 00A65262
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,?,?,?,00A64B22,?,?,?,?,?), ref: 00A65286
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64B22,?,?,?,?,?), ref: 00A6528D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$Process$Alloc$FreeFromMessageModulePrint
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 206731548-0
                                                                                                                                                                                                                      • Opcode ID: 723211ed4a33d7ff2ef101ea9f9b6d8c2d9af330cc7e42b69ca278cfc32adb9a
                                                                                                                                                                                                                      • Instruction ID: 0be984184bb3809b8c18ed108e0d10e59fe7bfdf3d62e7290fffa043941ded11
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 723211ed4a33d7ff2ef101ea9f9b6d8c2d9af330cc7e42b69ca278cfc32adb9a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC31C571F00A019BCB24DFB5C8A4AEAB3F5EF58714F588529E90AD7240E731ED85C750
                                                                                                                                                                                                                      Function 00A652BD Relevance: 5.1, APIs: 4, Instructions: 76memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,00A64EFC,?,00000001,?,?,00A684AB,00000000,?,?), ref: 00A652ED
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64EFC,?,00000001,?,?,00A684AB,00000000,?,?,?,00A64CB5,?,00000002,?), ref: 00A652F4
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00A64EFC,?,00000001,?,?,00A684AB,00000000,?), ref: 00A6533C
                                                                                                                                                                                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00A64EFC,?,00000001,?,?,00A684AB,00000000,?,?,?,00A64CB5,?,00000002,?), ref: 00A65343
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1617791916-0
                                                                                                                                                                                                                      • Opcode ID: 0f025ebece79308b527e68e68e6f839af6c4eb72b2f5afaabbb1e90c239a76e5
                                                                                                                                                                                                                      • Instruction ID: 5083c1dc6e23fcd2d83d26c610eb5e2ddbeaec460707cc213a0e757419c6ec61
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f025ebece79308b527e68e68e6f839af6c4eb72b2f5afaabbb1e90c239a76e5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A210536A005009BCB24DFB9CC544A7B7B8EF887507558529ED0ACB304E671AD43CB50
                                                                                                                                                                                                                      Function 00A66706 Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,?,?,00000003), ref: 00A6673C
                                                                                                                                                                                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A66743
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000001,00000000,?,?,00000003), ref: 00A6674F
                                                                                                                                                                                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A66756
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1617791916-0
                                                                                                                                                                                                                      • Opcode ID: 0a5e9424b037d6f1bd0bdcf4719ecd10813f8866a31d9a8aec4c10bd7c37199e
                                                                                                                                                                                                                      • Instruction ID: 1b0e2eeaeca532b41b56bc86d393355e5383dcbde7ce5e177d69e387621da46e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a5e9424b037d6f1bd0bdcf4719ecd10813f8866a31d9a8aec4c10bd7c37199e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE11E536600215EFCB119FA9DC8CB8A7BB9EF89365F148429F509DB290CB70AC41C750
                                                                                                                                                                                                                      Function 00A623BB Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A623E4
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A623EB
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00A623FA
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00A62401
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3859560861-0
                                                                                                                                                                                                                      • Opcode ID: 13f9b18c8c89341d2ea98073b03aed7ebf91f8b4ed4a2835ea0d63fb5657dd0a
                                                                                                                                                                                                                      • Instruction ID: 35f68227b87b88372cbc8d514680313fa01e5cc5d7fab2542257168fd95921b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 13f9b18c8c89341d2ea98073b03aed7ebf91f8b4ed4a2835ea0d63fb5657dd0a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2CF06272A615109BD7218FA5EC0CB6A7A39AF85731F15802AF45D8F290C7349C83DB90
                                                                                                                                                                                                                      Function 00A65A64 Relevance: 5.0, APIs: 4, Instructions: 26memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00A65B32,?,?,00000000,?,00A65D0B,?), ref: 00A65A78
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00A65B32,?,?,00000000,?,00A65D0B,?), ref: 00A65A7F
                                                                                                                                                                                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00A65B32,?,?,00000000,?,00A65D0B,?), ref: 00A65A8D
                                                                                                                                                                                                                      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00A65B32,?,?,00000000,?,00A65D0B,?), ref: 00A65A94
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000008.00000002.4564643629.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A60000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564643629.0000000000A79000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000008.00000002.4564709602.0000000000A7C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_8_2_a60000_netsh.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Heap$FreeProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3859560861-0
                                                                                                                                                                                                                      • Opcode ID: 5af96eeb451eac938bed086edccb48ab69777f2865ae50243db2961e8db6597d
                                                                                                                                                                                                                      • Instruction ID: b13c1ad9a3eaf76a86b4b61628729ccc0117143e4d0c2ea945256b72ff00c3ce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5af96eeb451eac938bed086edccb48ab69777f2865ae50243db2961e8db6597d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83E04F73A20621ABCB145BF96C8CF87AA6DDB98763F018126B60DD20508A714C438AB0